adding database workloads
crunchy postgres dragonfly emqx
This commit is contained in:
parent
d439c2084c
commit
3251d8240b
29 changed files with 1092 additions and 0 deletions
28
kubernetes/apps/database/crunchy-postgres-operator/README.md
Normal file
28
kubernetes/apps/database/crunchy-postgres-operator/README.md
Normal file
|
@ -0,0 +1,28 @@
|
|||
# Helpful PGO Commands
|
||||
|
||||
Grab the cli from Github:
|
||||
[GitHub](https://github.com/CrunchyData/postgres-operator-client) [Docs](https://access.crunchydata.com/documentation/postgres-operator-client/latest/)
|
||||
|
||||
## Point In Time Restore
|
||||
|
||||
`pgo show postgres -n database` for backup information
|
||||
|
||||
### Whole cluster
|
||||
```sh
|
||||
pgo restore postgres -n database \
|
||||
--options "--type=time --target='2024-04-09 11:00:03+00'" \
|
||||
--repoName repo1
|
||||
```
|
||||
|
||||
### Individual databases
|
||||
```sh
|
||||
pgo restore postgres -n database \
|
||||
--options "--type=time --target='2024-04-09 11:00:03+00' --db-include=postgres" \
|
||||
--repoName repo1
|
||||
```
|
||||
|
||||
## Manual full backup
|
||||
|
||||
```sh
|
||||
pgo backup postgres -n database --repoName repo1
|
||||
```
|
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: &name crunchy-postgres
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: onepassword-connect
|
||||
target:
|
||||
name: crunchy-postgres-secret
|
||||
template:
|
||||
engineVersion: v2
|
||||
data:
|
||||
s3.conf: |
|
||||
[global]
|
||||
repo1-s3-key={{ .minio_crunchy_postgres_access_key }}
|
||||
repo1-s3-key-secret={{ .minio_crunchy_postgres_secret_key }}
|
||||
encryption.conf: |
|
||||
[global]
|
||||
repo1-cipher-pass={{ .crunchy_postgres_backup_encryption_cipher }}
|
||||
dataFrom:
|
||||
- extract:
|
||||
key: crunchy-postgres
|
||||
rewrite:
|
||||
- regexp:
|
||||
source: "(.*)"
|
||||
target: "crunchy_postgres_$1"
|
||||
- extract:
|
||||
key: minio
|
||||
rewrite:
|
||||
- regexp:
|
||||
source: "[-]"
|
||||
target: "_"
|
||||
- regexp:
|
||||
source: "(.*)"
|
||||
target: "minio_$1"
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: postgres-gatus-ep
|
||||
labels:
|
||||
gatus.io/enabled: "true"
|
||||
data:
|
||||
config.yaml: |
|
||||
endpoints:
|
||||
- name: postgres
|
||||
group: infrastructure
|
||||
url: tcp://postgres-primary.database.svc.cluster.local:5432
|
||||
interval: 1m
|
||||
ui:
|
||||
hide-url: true
|
||||
hide-hostname: true
|
||||
conditions:
|
||||
- "[CONNECTED] == true"
|
||||
alerts:
|
||||
- type: pushover
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./externalsecret.yaml
|
||||
- ./gatus.yaml
|
||||
- ./postgrescluster.yaml
|
||||
- ./pushsecret.yaml
|
||||
- ./service.yaml
|
|
@ -0,0 +1,179 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/postgres-operator.crunchydata.com/postgrescluster_v1beta1.json
|
||||
apiVersion: postgres-operator.crunchydata.com/v1beta1
|
||||
kind: PostgresCluster
|
||||
metadata:
|
||||
name: &name postgres
|
||||
spec:
|
||||
postgresVersion: 16
|
||||
|
||||
metadata:
|
||||
labels:
|
||||
crunchy-userinit.ramblurr.github.com/enabled: "true"
|
||||
crunchy-userinit.ramblurr.github.com/superuser: "postgres"
|
||||
|
||||
service:
|
||||
type: LoadBalancer
|
||||
metadata:
|
||||
annotations:
|
||||
external-dns.alpha.kubernetes.io/hostname: postgres.jahanson.tech
|
||||
io.cilium/lb-ipam-ips: 10.1.1.35
|
||||
|
||||
monitoring:
|
||||
pgmonitor:
|
||||
exporter:
|
||||
# https://github.com/CrunchyData/postgres-operator-examples/blob/main/helm/install/values.yaml
|
||||
image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-0.15.0-3
|
||||
|
||||
patroni: # turn on sync writes to at least 1 other replica
|
||||
dynamicConfiguration:
|
||||
synchronous_mode: true
|
||||
postgresql:
|
||||
synchronous_commit: "on"
|
||||
pg_hba:
|
||||
- hostnossl all all 10.244.0.0/16 md5 # Needed because dbman does not support SSL yet
|
||||
- hostssl all all all md5
|
||||
|
||||
instances:
|
||||
- name: postgres
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: crunchy-postgres
|
||||
replicas: &replica 1
|
||||
dataVolumeClaimSpec:
|
||||
storageClassName: openebs-hostpath
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 20Gi
|
||||
topologySpreadConstraints:
|
||||
- maxSkew: 1
|
||||
topologyKey: "kubernetes.io/hostname"
|
||||
whenUnsatisfiable: "DoNotSchedule"
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
postgres-operator.crunchydata.com/cluster: *name
|
||||
postgres-operator.crunchydata.com/data: postgres
|
||||
|
||||
users:
|
||||
# Superuser
|
||||
- name: postgres
|
||||
databases:
|
||||
- postgres
|
||||
options: "SUPERUSER"
|
||||
password:
|
||||
type: AlphaNumeric
|
||||
# Applications
|
||||
- name: atuin
|
||||
databases:
|
||||
- atuin
|
||||
password:
|
||||
type: AlphaNumeric
|
||||
- name: autobrr
|
||||
databases:
|
||||
- autobrr
|
||||
password:
|
||||
type: AlphaNumeric
|
||||
- name: gatus
|
||||
databases:
|
||||
- gatus
|
||||
password:
|
||||
type: AlphaNumeric
|
||||
- name: grafana
|
||||
databases:
|
||||
- grafana
|
||||
password:
|
||||
type: AlphaNumeric
|
||||
- name: kasm
|
||||
databases:
|
||||
- kasm
|
||||
password:
|
||||
type: AlphaNumeric
|
||||
- name: prowlarr
|
||||
databases:
|
||||
- prowlarr_logs
|
||||
- prowlarr_main
|
||||
password:
|
||||
type: AlphaNumeric
|
||||
- name: radarr
|
||||
databases:
|
||||
- radarr_logs
|
||||
- radarr_main
|
||||
password:
|
||||
type: AlphaNumeric
|
||||
- name: sonarr
|
||||
databases:
|
||||
- sonarr_logs
|
||||
- sonarr_main
|
||||
password:
|
||||
type: AlphaNumeric
|
||||
- name: jellyseerr
|
||||
databases:
|
||||
- jellyseerr
|
||||
password:
|
||||
type: AlphaNumeric
|
||||
|
||||
|
||||
backups:
|
||||
pgbackrest:
|
||||
configuration: &backupConfig
|
||||
- secret:
|
||||
name: crunchy-postgres-secret
|
||||
global: &backupFlag
|
||||
archive-timeout: "60"
|
||||
compress-type: "bz2"
|
||||
compress-level: "9"
|
||||
delta: "y"
|
||||
repo1-retention-full-type: "time"
|
||||
repo1-retention-full: "14"
|
||||
repo1-retention-diff: "30"
|
||||
repo1-path: "/crunchy-pgo"
|
||||
repo1-s3-uri-style: path
|
||||
archive-push-queue-max: 4GiB
|
||||
manual:
|
||||
repoName: repo1
|
||||
options:
|
||||
- --type=full
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: crunchy-postgres-backup
|
||||
repos:
|
||||
- name: repo1 # Minio
|
||||
s3: &minio
|
||||
bucket: "crunchy-main"
|
||||
endpoint: "s3.hsn.dev"
|
||||
region: "us-east-1"
|
||||
schedules:
|
||||
full: "0 1 * * 0" # Sunday at 01:00
|
||||
differential: "0 1 * * 1-6" # Mon-Sat at 01:00
|
||||
incremental: "0 2-23 * * *" # Every hour except 01:00
|
||||
|
||||
dataSource:
|
||||
pgbackrest:
|
||||
stanza: "db"
|
||||
configuration: *backupConfig
|
||||
global: *backupFlag
|
||||
repo:
|
||||
name: "repo1"
|
||||
s3: *minio
|
||||
|
||||
proxy:
|
||||
pgBouncer:
|
||||
port: 5432
|
||||
replicas: *replica
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: crunchy-postgres-pgbouncer
|
||||
config:
|
||||
global:
|
||||
pool_mode: "transaction" # pgBouncer is set to transaction for Authentik. Grafana requires session https://github.com/grafana/grafana/issues/74260#issuecomment-1702795311. Everything else is happy with transaction
|
||||
client_tls_sslmode: prefer
|
||||
topologySpreadConstraints:
|
||||
- maxSkew: 1
|
||||
topologyKey: "kubernetes.io/hostname"
|
||||
whenUnsatisfiable: "DoNotSchedule"
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
postgres-operator.crunchydata.com/cluster: *name
|
||||
postgres-operator.crunchydata.com/role: "pgbouncer"
|
|
@ -0,0 +1,280 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/pushsecret_v1alpha1.json
|
||||
apiVersion: external-secrets.io/v1alpha1
|
||||
kind: PushSecret
|
||||
metadata:
|
||||
name: grafana
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRefs:
|
||||
- name: onepassword-connect
|
||||
kind: ClusterSecretStore
|
||||
selector:
|
||||
secret:
|
||||
name: postgres-pguser-grafana
|
||||
data:
|
||||
- match:
|
||||
secretKey: dbname
|
||||
remoteRef:
|
||||
remoteKey: grafana
|
||||
property: GF_DATABASE_NAME
|
||||
- match:
|
||||
secretKey: host
|
||||
remoteRef:
|
||||
remoteKey: grafana
|
||||
property: GF_DATABASE_HOST
|
||||
- match:
|
||||
secretKey: user
|
||||
remoteRef:
|
||||
remoteKey: grafana
|
||||
property: GF_DATABASE_USER
|
||||
- match:
|
||||
secretKey: password
|
||||
remoteRef:
|
||||
remoteKey: grafana
|
||||
property: GF_DATABASE_PASSWORD
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/pushsecret_v1alpha1.json
|
||||
apiVersion: external-secrets.io/v1alpha1
|
||||
kind: PushSecret
|
||||
metadata:
|
||||
name: gatus
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRefs:
|
||||
- name: onepassword-connect
|
||||
kind: ClusterSecretStore
|
||||
selector:
|
||||
secret:
|
||||
name: postgres-pguser-gatus
|
||||
data:
|
||||
- match:
|
||||
secretKey: dbname
|
||||
remoteRef:
|
||||
remoteKey: gatus
|
||||
property: pg_database
|
||||
- match:
|
||||
secretKey: port
|
||||
remoteRef:
|
||||
remoteKey: gatus
|
||||
property: pg_port
|
||||
- match:
|
||||
secretKey: user
|
||||
remoteRef:
|
||||
remoteKey: gatus
|
||||
property: pg_username
|
||||
- match:
|
||||
secretKey: password
|
||||
remoteRef:
|
||||
remoteKey: gatus
|
||||
property: pg_password
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/pushsecret_v1alpha1.json
|
||||
apiVersion: external-secrets.io/v1alpha1
|
||||
kind: PushSecret
|
||||
metadata:
|
||||
name: prowlarr
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRefs:
|
||||
- name: onepassword-connect
|
||||
kind: ClusterSecretStore
|
||||
selector:
|
||||
secret:
|
||||
name: postgres-pguser-prowlarr
|
||||
data:
|
||||
- match:
|
||||
secretKey: host
|
||||
remoteRef:
|
||||
remoteKey: prowlarr
|
||||
property: PROWLARR_POSTGRES_HOST
|
||||
- match:
|
||||
secretKey: user
|
||||
remoteRef:
|
||||
remoteKey: prowlarr
|
||||
property: PROWLARR_POSTGRES_USER
|
||||
- match:
|
||||
secretKey: password
|
||||
remoteRef:
|
||||
remoteKey: prowlarr
|
||||
property: PROWLARR_POSTGRES_PASSWORD
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/pushsecret_v1alpha1.json
|
||||
apiVersion: external-secrets.io/v1alpha1
|
||||
kind: PushSecret
|
||||
metadata:
|
||||
name: sonarr
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRefs:
|
||||
- name: onepassword-connect
|
||||
kind: ClusterSecretStore
|
||||
selector:
|
||||
secret:
|
||||
name: postgres-pguser-sonarr
|
||||
data:
|
||||
- match:
|
||||
secretKey: host
|
||||
remoteRef:
|
||||
remoteKey: sonarr
|
||||
property: SONARR_POSTGRES_HOST
|
||||
- match:
|
||||
secretKey: user
|
||||
remoteRef:
|
||||
remoteKey: sonarr
|
||||
property: SONARR_POSTGRES_USER
|
||||
- match:
|
||||
secretKey: password
|
||||
remoteRef:
|
||||
remoteKey: sonarr
|
||||
property: SONARR_POSTGRES_PASSWORD
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/pushsecret_v1alpha1.json
|
||||
apiVersion: external-secrets.io/v1alpha1
|
||||
kind: PushSecret
|
||||
metadata:
|
||||
name: radarr
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRefs:
|
||||
- name: onepassword-connect
|
||||
kind: ClusterSecretStore
|
||||
selector:
|
||||
secret:
|
||||
name: postgres-pguser-radarr
|
||||
data:
|
||||
- match:
|
||||
secretKey: host
|
||||
remoteRef:
|
||||
remoteKey: radarr
|
||||
property: RADARR_POSTGRES_HOST
|
||||
- match:
|
||||
secretKey: user
|
||||
remoteRef:
|
||||
remoteKey: radarr
|
||||
property: RADARR_POSTGRES_USER
|
||||
- match:
|
||||
secretKey: password
|
||||
remoteRef:
|
||||
remoteKey: radarr
|
||||
property: RADARR_POSTGRES_PASSWORD
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/pushsecret_v1alpha1.json
|
||||
apiVersion: external-secrets.io/v1alpha1
|
||||
kind: PushSecret
|
||||
metadata:
|
||||
name: atuin
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRefs:
|
||||
- name: onepassword-connect
|
||||
kind: ClusterSecretStore
|
||||
selector:
|
||||
secret:
|
||||
name: postgres-pguser-atuin
|
||||
data:
|
||||
- match:
|
||||
secretKey: host
|
||||
remoteRef:
|
||||
remoteKey: atuin
|
||||
property: ATUIN_POSTGRES_HOST
|
||||
- match:
|
||||
secretKey: user
|
||||
remoteRef:
|
||||
remoteKey: atuin
|
||||
property: ATUIN_POSTGRES_USER
|
||||
- match:
|
||||
secretKey: password
|
||||
remoteRef:
|
||||
remoteKey: atuin
|
||||
property: ATUIN_POSTGRES_PASSWORD
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/pushsecret_v1alpha1.json
|
||||
apiVersion: external-secrets.io/v1alpha1
|
||||
kind: PushSecret
|
||||
metadata:
|
||||
name: jellyseerr
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRefs:
|
||||
- name: onepassword-connect
|
||||
kind: ClusterSecretStore
|
||||
selector:
|
||||
secret:
|
||||
name: postgres-pguser-jellyseerr
|
||||
data:
|
||||
- match:
|
||||
secretKey: host
|
||||
remoteRef:
|
||||
remoteKey: jellyseerr
|
||||
property: JELLYSEERR_POSTGRES_HOST
|
||||
- match:
|
||||
secretKey: user
|
||||
remoteRef:
|
||||
remoteKey: jellyseerr
|
||||
property: JELLYSEERR_POSTGRES_USER
|
||||
- match:
|
||||
secretKey: password
|
||||
remoteRef:
|
||||
remoteKey: jellyseerr
|
||||
property: JELLYSEERR_POSTGRES_PASSWORD
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/pushsecret_v1alpha1.json
|
||||
apiVersion: external-secrets.io/v1alpha1
|
||||
kind: PushSecret
|
||||
metadata:
|
||||
name: autobrr
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRefs:
|
||||
- name: onepassword-connect
|
||||
kind: ClusterSecretStore
|
||||
selector:
|
||||
secret:
|
||||
name: postgres-pguser-autobrr
|
||||
data:
|
||||
- match:
|
||||
secretKey: host
|
||||
remoteRef:
|
||||
remoteKey: autobrr
|
||||
property: AUTOBRR_POSTGRES_HOST
|
||||
- match:
|
||||
secretKey: user
|
||||
remoteRef:
|
||||
remoteKey: autobrr
|
||||
property: AUTOBRR_POSTGRES_USER
|
||||
- match:
|
||||
secretKey: password
|
||||
remoteRef:
|
||||
remoteKey: autobrr
|
||||
property: AUTOBRR_POSTGRES_PASSWORD
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/pushsecret_v1alpha1.json
|
||||
apiVersion: external-secrets.io/v1alpha1
|
||||
kind: PushSecret
|
||||
metadata:
|
||||
name: kasm
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRefs:
|
||||
- name: onepassword-connect
|
||||
kind: ClusterSecretStore
|
||||
selector:
|
||||
secret:
|
||||
name: postgres-pguser-kasm
|
||||
data:
|
||||
- match:
|
||||
secretKey: host
|
||||
remoteRef:
|
||||
remoteKey: kasm
|
||||
property: KASM_POSTGRES_HOST
|
||||
- match:
|
||||
secretKey: user
|
||||
remoteRef:
|
||||
remoteKey: kasm
|
||||
property: KASM_POSTGRES_USER
|
||||
- match:
|
||||
secretKey: password
|
||||
remoteRef:
|
||||
remoteKey: kasm
|
||||
property: KASM_POSTGRES_PASSWORD
|
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
postgres-operator.crunchydata.com/cluster: postgres
|
||||
postgres-operator.crunchydata.com/role: primary
|
||||
name: postgres-primary-real
|
||||
namespace: media
|
||||
spec:
|
||||
internalTrafficPolicy: Cluster
|
||||
ports:
|
||||
- name: postgres
|
||||
port: 5432
|
||||
protocol: TCP
|
||||
targetPort: postgres
|
||||
selector:
|
||||
postgres-operator.crunchydata.com/cluster: postgres
|
||||
postgres-operator.crunchydata.com/role: master
|
||||
type: ClusterIP
|
|
@ -0,0 +1,20 @@
|
|||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/clustersecretstore_v1beta1.json
|
||||
---
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ClusterSecretStore
|
||||
metadata:
|
||||
name: crunchy-pgo-secrets
|
||||
spec:
|
||||
provider:
|
||||
kubernetes:
|
||||
remoteNamespace: database
|
||||
server:
|
||||
caProvider:
|
||||
type: "ConfigMap"
|
||||
name: "kube-root-ca.crt"
|
||||
namespace: database
|
||||
key: "ca.crt"
|
||||
auth:
|
||||
serviceAccount:
|
||||
name: external-secrets-pg
|
||||
namespace: database
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./rbac.yaml
|
||||
- ./clustersecretstore.yaml
|
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: external-secrets-pg
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["selfsubjectrulesreviews"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: &name external-secrets-pg
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: *name
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: *name
|
||||
namespace: database
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: external-secrets-pg
|
||||
namespace: database
|
83
kubernetes/apps/database/crunchy-postgres-operator/ks.yaml
Normal file
83
kubernetes/apps/database/crunchy-postgres-operator/ks.yaml
Normal file
|
@ -0,0 +1,83 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &appname crunchy-postgres-operator
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: database
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *appname
|
||||
interval: 10m
|
||||
path: "./kubernetes/apps/database/crunchy-postgres-operator/operator"
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: theshire
|
||||
wait: true
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &appname crunchy-postgres-operator-cluster
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: database
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *appname
|
||||
interval: 10m
|
||||
path: ./kubernetes/apps/database/crunchy-postgres-operator/cluster
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: theshire
|
||||
wait: true
|
||||
dependsOn:
|
||||
- name: crunchy-postgres-operator
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &appname crunchy-postgres-operator-secretstore
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: database
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *appname
|
||||
interval: 10m
|
||||
path: ./kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: theshire
|
||||
wait: true
|
||||
dependsOn:
|
||||
- name: crunchy-postgres-operator-cluster
|
||||
- name: external-secrets
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &appname crunchy-postgres-userinit-controller
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: database
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *appname
|
||||
interval: 10m
|
||||
path: ./kubernetes/apps/database/crunchy-postgres-operator/userinit-controller
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: theshire
|
||||
wait: true
|
||||
dependsOn:
|
||||
- name: crunchy-postgres-operator-cluster
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: crunchy-postgres-operator
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: pgo
|
||||
version: 5.6.1
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: crunchydata
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
install:
|
||||
crds: CreateReplace
|
||||
upgrade:
|
||||
crds: CreateReplace
|
||||
values:
|
||||
install:
|
||||
clusterLabels:
|
||||
app.kubernetes.io/name: pgo
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./helmrelease.yaml
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: userinit-controller
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: crunchy-userinit-controller
|
||||
version: 0.0.4
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: crunchy-userinit
|
||||
values:
|
||||
fullnameOverride: crunchy-userinit-controller
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json
|
||||
apiVersion: source.toolkit.fluxcd.io/v1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: crunchy-userinit
|
||||
spec:
|
||||
interval: 30m
|
||||
url: https://ramblurr.github.io/crunchy-userinit-controller
|
||||
timeout: 3m
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./helmrepository.yaml
|
||||
- ./helmrelease.yaml
|
30
kubernetes/apps/database/dragonfly/app/dragonfly.yaml
Normal file
30
kubernetes/apps/database/dragonfly/app/dragonfly.yaml
Normal file
|
@ -0,0 +1,30 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/dragonflydb.io/dragonfly_v1alpha1.json
|
||||
apiVersion: dragonflydb.io/v1alpha1
|
||||
kind: Dragonfly
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: dragonfly
|
||||
name: dragonfly
|
||||
spec:
|
||||
replicas: 1
|
||||
resources:
|
||||
requests:
|
||||
cpu: 500m
|
||||
memory: 500Mi
|
||||
limits:
|
||||
memory: 3Gi
|
||||
args:
|
||||
- "--proactor_threads=4"
|
||||
- "--default_lua_flags=allow-undeclared-keys"
|
||||
|
||||
# Need retention policy before this is enabled
|
||||
# Or add S3 details and enable retention policy on the bucket.
|
||||
# snapshot:
|
||||
# cron: "*/5 * * * *"
|
||||
# persistentVolumeClaimSpec:
|
||||
# accessModes:
|
||||
# - ReadWriteOnce
|
||||
# resources:
|
||||
# requests:
|
||||
# storage: 2Gi
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./dragonfly.yaml
|
21
kubernetes/apps/database/dragonfly/ks.yaml
Normal file
21
kubernetes/apps/database/dragonfly/ks.yaml
Normal file
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &app dragonfly
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: database
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *app
|
||||
path: ./kubernetes/apps/database/dragonfly/app
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: homelab
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 15m
|
41
kubernetes/apps/database/emqx/app/externalsecret.yaml
Normal file
41
kubernetes/apps/database/emqx/app/externalsecret.yaml
Normal file
|
@ -0,0 +1,41 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: emqx
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: onepassword-connect
|
||||
target:
|
||||
name: emqx-secret
|
||||
template:
|
||||
engineVersion: v2
|
||||
data:
|
||||
EMQX_DASHBOARD__DEFAULT_USERNAME: "{{ .EMQX_DASHBOARD__DEFAULT_USERNAME }}"
|
||||
EMQX_DASHBOARD__DEFAULT_PASSWORD: "{{ .EMQX_DASHBOARD__DEFAULT_PASSWORD }}"
|
||||
dataFrom:
|
||||
- extract:
|
||||
key: emqx
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: emqx-init-user
|
||||
spec:
|
||||
refreshInterval: 5m
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: onepassword-connect
|
||||
target:
|
||||
name: emqx-init-user-secret
|
||||
template:
|
||||
engineVersion: v2
|
||||
data:
|
||||
init-user.json: |
|
||||
[{"user_id": "{{ .X_EMQX_MQTT_USERNAME }}", "password": "{{ .X_EMQX_MQTT_PASSWORD }}", "is_superuser": true}]
|
||||
dataFrom:
|
||||
- extract:
|
||||
key: emqx
|
31
kubernetes/apps/database/emqx/app/helmrelease.yaml
Normal file
31
kubernetes/apps/database/emqx/app/helmrelease.yaml
Normal file
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: emqx
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: emqx-operator
|
||||
version: 2.2.23
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: emqx
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
strategy: rollback
|
||||
retries: 3
|
||||
dependsOn:
|
||||
- name: cert-manager
|
||||
namespace: cert-manager
|
||||
values:
|
||||
fullnameOverride: emqx-operator
|
||||
image:
|
||||
repository: ghcr.io/emqx/emqx-operator
|
7
kubernetes/apps/database/emqx/app/kustomization.yaml
Normal file
7
kubernetes/apps/database/emqx/app/kustomization.yaml
Normal file
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./externalsecret.yaml
|
||||
- ./helmrelease.yaml
|
53
kubernetes/apps/database/emqx/cluster/cluster.yaml
Normal file
53
kubernetes/apps/database/emqx/cluster/cluster.yaml
Normal file
|
@ -0,0 +1,53 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/apps.emqx.io/emqx_v2beta1.json
|
||||
apiVersion: apps.emqx.io/v2beta1
|
||||
kind: EMQX
|
||||
metadata:
|
||||
name: emqx
|
||||
spec:
|
||||
image: public.ecr.aws/emqx/emqx:5.8.0
|
||||
config:
|
||||
data: |
|
||||
authentication {
|
||||
backend = "built_in_database"
|
||||
mechanism = "password_based"
|
||||
password_hash_algorithm {
|
||||
name = "bcrypt",
|
||||
}
|
||||
user_id_type = "username"
|
||||
bootstrap_file = "/opt/init-user.json"
|
||||
bootstrap_type = "plain"
|
||||
}
|
||||
authorization {
|
||||
sources = [
|
||||
{
|
||||
type = built_in_database
|
||||
enable = true
|
||||
}
|
||||
]
|
||||
no_match: "deny"
|
||||
}
|
||||
coreTemplate:
|
||||
metadata:
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: emqx-secret
|
||||
extraVolumeMounts:
|
||||
- name: init-user
|
||||
mountPath: /opt/init-user.json
|
||||
subPath: init-user.json
|
||||
readOnly: true
|
||||
extraVolumes:
|
||||
- name: init-user
|
||||
secret:
|
||||
secretName: emqx-init-user-secret
|
||||
listenersServiceTemplate:
|
||||
metadata:
|
||||
annotations:
|
||||
io.cilium/lb-ipam-ips: 10.1.1.38
|
||||
spec:
|
||||
type: LoadBalancer
|
21
kubernetes/apps/database/emqx/cluster/ingress.yaml
Normal file
21
kubernetes/apps/database/emqx/cluster/ingress.yaml
Normal file
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: emqx-dashboard
|
||||
spec:
|
||||
ingressClassName: internal-nginx
|
||||
rules:
|
||||
- host: &host emqx.jahanson.tech
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: emqx-dashboard
|
||||
port:
|
||||
number: 18083
|
||||
tls:
|
||||
- hosts:
|
||||
- *host
|
8
kubernetes/apps/database/emqx/cluster/kustomization.yaml
Normal file
8
kubernetes/apps/database/emqx/cluster/kustomization.yaml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./cluster.yaml
|
||||
- ./ingress.yaml
|
||||
- ./podmonitor.yaml
|
27
kubernetes/apps/database/emqx/cluster/podmonitor.yaml
Normal file
27
kubernetes/apps/database/emqx/cluster/podmonitor.yaml
Normal file
|
@ -0,0 +1,27 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/podmonitor_v1.json
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PodMonitor
|
||||
metadata:
|
||||
name: emqx
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
apps.emqx.io/instance: emqx
|
||||
apps.emqx.io/managed-by: emqx-operator
|
||||
podMetricsEndpoints:
|
||||
- port: dashboard
|
||||
path: /api/v5/prometheus/stats
|
||||
relabelings:
|
||||
- action: replace
|
||||
# user-defined cluster name, requires unique
|
||||
replacement: emqx5
|
||||
targetLabel: cluster
|
||||
- action: replace
|
||||
# fix value, don't modify
|
||||
replacement: emqx
|
||||
targetLabel: from
|
||||
- action: replace
|
||||
# fix value, don't modify
|
||||
sourceLabels: ['pod']
|
||||
targetLabel: "instance"
|
46
kubernetes/apps/database/emqx/ks.yaml
Normal file
46
kubernetes/apps/database/emqx/ks.yaml
Normal file
|
@ -0,0 +1,46 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &app emqx
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: database
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *app
|
||||
dependsOn:
|
||||
- name: external-secrets-stores
|
||||
path: ./kubernetes/apps/database/emqx/app
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: homelab
|
||||
wait: true
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &app emqx-cluster
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: database
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *app
|
||||
dependsOn:
|
||||
- name: emqx
|
||||
path: ./kubernetes/apps/database/emqx/cluster
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: homelab
|
||||
wait: true
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
11
kubernetes/apps/database/kustomization.yaml
Normal file
11
kubernetes/apps/database/kustomization.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
# Pre Flux-Kustomizations
|
||||
- ./namespace.yaml
|
||||
# Flux-Kustomizations
|
||||
- ./crunchy-postgres-operator/ks.yaml
|
||||
- ./dragonfly/ks.yaml
|
||||
- ./emqx/ks.yaml
|
8
kubernetes/apps/database/namespace.yaml
Normal file
8
kubernetes/apps/database/namespace.yaml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: database
|
||||
labels:
|
||||
kustomize.toolkit.fluxcd.io/prune: disabled
|
||||
volsync.backube/privileged-movers: "true"
|
Loading…
Reference in a new issue