---
# yaml-language-server: $schema=https://ks.hsn.dev/postgres-operator.crunchydata.com/postgrescluster_v1beta1.json
apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PostgresCluster
metadata:
  name: &name postgres
spec:
  postgresVersion: 16

  metadata:
    labels:
      crunchy-userinit.ramblurr.github.com/enabled: "true"
      crunchy-userinit.ramblurr.github.com/superuser: "postgres"

  service:
    type: LoadBalancer
    metadata:
      annotations:
        external-dns.alpha.kubernetes.io/hostname: postgres.jahanson.tech
        io.cilium/lb-ipam-ips: 10.1.1.35

  monitoring:
    pgmonitor:
      exporter:
        # https://github.com/CrunchyData/postgres-operator-examples/blob/main/helm/install/values.yaml
        image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-0.15.0-3

  patroni: # turn on sync writes to at least 1 other replica
    dynamicConfiguration:
      synchronous_mode: true
      postgresql:
        synchronous_commit: "on"
        pg_hba:
          - hostnossl all all 10.244.0.0/16 md5 # Needed because dbman does not support SSL yet
          - hostssl all all all md5

  instances:
    - name: postgres
      metadata:
        labels:
          app.kubernetes.io/name: crunchy-postgres
      replicas: &replica 1
      dataVolumeClaimSpec:
        storageClassName: openebs-zfs
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 20Gi
      topologySpreadConstraints:
        - maxSkew: 1
          topologyKey: "kubernetes.io/hostname"
          whenUnsatisfiable: "DoNotSchedule"
          labelSelector:
            matchLabels:
              postgres-operator.crunchydata.com/cluster: *name
              postgres-operator.crunchydata.com/data: postgres

  users:
    # Superuser
    - name: postgres
      databases:
        - postgres
      options: "SUPERUSER"
      password:
        type: AlphaNumeric
    # Applications
    - name: atuin
      databases:
        - atuin
      password:
        type: AlphaNumeric
    - name: gatus
      databases:
        - gatus
      password:
        type: AlphaNumeric
    - name: grafana
      databases:
        - grafana
      password:
        type: AlphaNumeric
    - name: prowlarr
      databases:
        - prowlarr_logs
        - prowlarr_main
      password:
        type: AlphaNumeric
    - name: radarr
      databases:
        - radarr_logs
        - radarr_main
      password:
        type: AlphaNumeric
    - name: sonarr
      databases:
        - sonarr_logs
        - sonarr_main
      password:
        type: AlphaNumeric


  backups:
    pgbackrest:
      configuration: &backupConfig
        - secret:
            name: crunchy-postgres-secret
      global: &backupFlag
        archive-timeout: "60"
        compress-type: "bz2"
        compress-level: "9"
        delta: "y"
        repo1-retention-full-type: "time"
        repo1-retention-full: "14"
        repo1-retention-diff: "30"
        repo1-path: "/crunchy-pgo"
        repo1-s3-uri-style: path
        archive-push-queue-max: 4GiB
      manual:
        repoName: repo1
        options:
          - --type=full
      metadata:
        labels:
          app.kubernetes.io/name: crunchy-postgres-backup
      repos:
        - name: repo1 # Minio
          s3: &minio
            bucket: "crunchy-main"
            endpoint: "s3.hsn.dev"
            region: "us-east-1"
          schedules:
            full: "0 1 * * 0" # Sunday at 01:00
            differential: "0 1 * * 1-6" # Mon-Sat at 01:00
            incremental: "0 2-23 * * *" # Every hour except 01:00

  dataSource:
    pgbackrest:
      stanza: "db"
      configuration: *backupConfig
      global: *backupFlag
      repo:
        name: "repo1"
        s3: *minio

  proxy:
    pgBouncer:
      port: 5432
      replicas: *replica
      metadata:
        labels:
          app.kubernetes.io/name: crunchy-postgres-pgbouncer
      config:
        global:
          pool_mode: "transaction" # pgBouncer is set to transaction for Authentik. Grafana requires session https://github.com/grafana/grafana/issues/74260#issuecomment-1702795311. Everything else is happy with transaction
          client_tls_sslmode: prefer
      topologySpreadConstraints:
        - maxSkew: 1
          topologyKey: "kubernetes.io/hostname"
          whenUnsatisfiable: "DoNotSchedule"
          labelSelector:
            matchLabels:
              postgres-operator.crunchydata.com/cluster: *name
              postgres-operator.crunchydata.com/role: "pgbouncer"