diff --git a/addons/apecloud-mysql/config/mysql8-config.tpl b/addons/apecloud-mysql/config/mysql8-config.tpl index aa77a0465..752882782 100644 --- a/addons/apecloud-mysql/config/mysql8-config.tpl +++ b/addons/apecloud-mysql/config/mysql8-config.tpl @@ -183,7 +183,7 @@ relay_log_index=relay-bin.index pid-file=/var/run/mysqld/mysqld.pid socket=/var/run/mysqld/mysqld.sock -{{- if $.component.tls }} +{{- if $.component.tlsConfig }} {{- $ca_file := getCAFile }} {{- $cert_file := getCertFile }} {{- $key_file := getKeyFile }} diff --git a/addons/apecloud-mysql/templates/componentdefinition.yaml b/addons/apecloud-mysql/templates/componentdefinition.yaml new file mode 100644 index 000000000..b4bc63f64 --- /dev/null +++ b/addons/apecloud-mysql/templates/componentdefinition.yaml @@ -0,0 +1,273 @@ +apiVersion: apps.kubeblocks.io/v1alpha1 +kind: ComponentDefinition +metadata: + name: apecloud-mysql-0.7.0 + labels: + {{- include "apecloud-mysql.labels" . | nindent 4 }} +spec: + provider: kubeblocks.io + description: ApeCloud MySQL is a database that is compatible with MySQL syntax and achieves high availability through the utilization of the RAFT consensus protocol. + serviceKind: mysql + serviceVersion: 8.0.30 + runtime: + containers: + - name: mysql + image: {{ .Values.image.registry | default "docker.io" }}/{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ default "IfNotPresent" .Values.image.pullPolicy }} + command: [ "/scripts/setup.sh" ] + env: + - name: SERVICE_PORT + value: "3306" + - name: MYSQL_ROOT_HOST + value: {{ .Values.auth.rootHost | default "%" | quote }} + - name: MYSQL_ROOT_USER + valueFrom: + secretKeyRef: + name: $(CONN_CREDENTIAL_SECRET_NAME) + key: username + optional: false + - name: MYSQL_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: $(CONN_CREDENTIAL_SECRET_NAME) + key: password + optional: false + - name: MYSQL_DATABASE + value: {{- if .Values.auth.createDatabase }} {{ .Values.auth.database | quote }} {{- else }} "" {{- end }} + - name: MYSQL_USER + value: {{ .Values.auth.username | default "" | quote }} + - name: MYSQL_PASSWORD + value: {{ .Values.auth.password | default "" | quote }} + - name: CLUSTER_ID + value: {{ .Values.cluster.clusterId | default "1" | quote }} + - name: CLUSTER_START_INDEX + value: {{ .Values.cluster.clusterStartIndex | default "1" | quote }} + - name: REPLICATION_USER + value: {{ .Values.auth.replicationUser | default "replicator" | quote }} + - name: REPLICATION_PASSWORD + value: {{ .Values.auth.replicationPassword | default "" | quote }} + - name: MYSQL_TEMPLATE_CONFIG + value: {{ if .Values.cluster.templateConfig }}{{ .Values.cluster.templateConfig }}{{ end }} + - name: MYSQL_CUSTOM_CONFIG + value: {{ if .Values.cluster.customConfig }}{{ .Values.cluster.customConfig }}{{ end }} + - name: MYSQL_DYNAMIC_CONFIG + value: {{ if .Values.cluster.dynamicConfig }}{{ .Values.cluster.dynamicConfig }}{{ end }} + - name: KB_EMBEDDED_WESQL + value: {{ .Values.cluster.kbWeSQLImage | default "1" | quote }} + volumeMounts: + - mountPath: {{ .Values.mysqlConfigs.dataMountPath }} + name: data + - mountPath: /opt/mysql + name: mysql-config + - name: scripts + mountPath: /scripts + - name: annotations + mountPath: /etc/annotations + ports: + - containerPort: 3306 + name: mysql + - containerPort: 13306 + name: paxos + lifecycle: + preStop: + exec: + command: [ "/scripts/pre-stop.sh" ] + - name: metrics + image: {{ .Values.metrics.image.registry | default "docker.io" }}/{{ .Values.metrics.image.repository }}:{{ .Values.metrics.image.tag }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + command: [ "/scripts/agamotto.sh" ] + env: + - name: DB_TYPE + value: MySQL + - name: ENDPOINT + value: {{ printf "localhost:3306" }} + - name: MYSQL_USER + valueFrom: + secretKeyRef: + name: $(CONN_CREDENTIAL_SECRET_NAME) + key: username + optional: false + - name: MYSQL_PASSWORD + valueFrom: + secretKeyRef: + name: $(CONN_CREDENTIAL_SECRET_NAME) + key: password + optional: false + volumeMounts: + - name: agamotto-configuration + mountPath: /opt/agamotto + - name: data + mountPath: {{ .Values.mysqlConfigs.dataMountPath }} + {{- if .Values.logCollector.enabled }} + - name: log-data + mountPath: /var/log/kubeblocks + readOnly: false + {{- end }} + - name: scripts + mountPath: /scripts + ports: + - name: http-metrics + containerPort: {{ .Values.metrics.service.port }} + securityContext: + runAsNonRoot: false + runAsUser: 0 + volumes: + {{- if .Values.logCollector.enabled }} + - name: log-data + hostPath: + path: /var/log/kubeblocks + type: DirectoryOrCreate + {{- end }} + - name: annotations + downwardAPI: + items: + - path: "leader" + fieldRef: + fieldPath: metadata.annotations['cs.apps.kubeblocks.io/leader'] + - path: "component-replicas" + fieldRef: + fieldPath: metadata.annotations['apps.kubeblocks.io/component-replicas'] + volumes: + services: + - name: default + serviceName: mysql + spec: + ports: + - name: mysql + port: 3306 + targetPort: mysql + roleSelector: leader + - name: readonly + serviceName: mysql-ro + spec: + ports: + - name: mysql + port: 3306 + targetPort: mysql + roleSelector: follower + configs: + - name: mysql-consensusset-config + templateRef: mysql8.0-config-template + constraintRef: mysql8.0-config-constraints + volumeName: mysql-config + namespace: {{ .Release.Namespace }} + - name: agamotto-configuration + templateRef: apecloud-mysql8-agamotto-configuration + namespace: {{ .Release.Namespace }} + volumeName: agamotto-configuration + defaultMode: 0444 # for only read, mysql container switched user account. + - name: vttablet-config + templateRef: vttablet-config-template + constraintRef: mysql-scale-vttablet-config-constraints + volumeName: mysql-scale-config + namespace: {{ .Release.Namespace }} + logConfigs: + {{- range $name,$pattern := .Values.logConfigs }} + - name: {{ $name }} + filePathPattern: {{ $pattern }} + {{- end }} + monitor: + builtIn: false + exporterConfig: + scrapePath: /metrics + scrapePort: {{ .Values.metrics.service.port }} + scripts: + - name: apecloud-mysql-scripts + templateRef: apecloud-mysql-scripts + namespace: {{ .Release.Namespace }} + volumeName: scripts + defaultMode: 0555 # for read and execute, mysql container switched user account. + systemAccounts: + - name: root + initAccount: true + passwordGenerationPolicy: + length: 16 + numDigits: 8 + numSymbols: 8 + letterCase: MixedCases + - name: kbadmin + statement: CREATE USER $(USERNAME) IDENTIFIED BY '$(PASSWORD)'; GRANT ALL PRIVILEGES ON *.* TO $(USERNAME); + passwordGenerationPolicy: &defaultPasswordGenerationPolicy + length: 10 + numDigits: 5 + numSymbols: 0 + letterCase: MixedCases + - name: kbdataprotection + statement: CREATE USER $(USERNAME) IDENTIFIED BY '$(PASSWORD)';GRANT RELOAD, LOCK TABLES, PROCESS, REPLICATION CLIENT ON *.* TO $(USERNAME); GRANT LOCK TABLES,RELOAD,PROCESS,REPLICATION CLIENT, SUPER,SELECT,EVENT,TRIGGER,SHOW VIEW ON *.* TO $(USERNAME); + passwordGenerationPolicy: *defaultPasswordGenerationPolicy + - name: kbprobe + statement: CREATE USER $(USERNAME) IDENTIFIED BY '$(PASSWORD)'; GRANT REPLICATION CLIENT, PROCESS ON *.* TO $(USERNAME); GRANT SELECT ON performance_schema.* TO $(USERNAME); + passwordGenerationPolicy: *defaultPasswordGenerationPolicy + - name: kbmonitoring + statement: CREATE USER $(USERNAME) IDENTIFIED BY '$(PASSWORD)'; GRANT REPLICATION CLIENT, PROCESS ON *.* TO $(USERNAME); GRANT SELECT ON performance_schema.* TO $(USERNAME); + passwordGenerationPolicy: *defaultPasswordGenerationPolicy + - name: kbreplicator + statement: CREATE USER $(USERNAME) IDENTIFIED BY '$(PASSWORD)'; GRANT REPLICATION SLAVE ON *.* TO $(USERNAME) WITH GRANT OPTION; + passwordGenerationPolicy: *defaultPasswordGenerationPolicy + connectionCredentials: + - name: root + serviceName: default + accountName: root + - name: admin + serviceName: default + accountName: kbadmin + roles: + - name: leader + serviceable: true + writable: true + - name: follower + serviceable: true + writable: false + - name: learner + serviceable: false + writable: false + lifecycleActions: + roleProbe: + builtinHandler: wesql + failureThreshold: {{ .Values.roleProbe.failureThreshold }} + periodSeconds: {{ .Values.roleProbe.periodSeconds }} + timeoutSeconds: {{ .Values.roleProbe.timeoutSeconds }} + switchover: + withCandidate: + image: {{ .Values.image.registry | default "docker.io" }}/{{ .Values.image.repository }}:{{ default .Values.image.tag }} + exec: + command: + - /scripts/switchover-with-candidate.sh + withoutCandidate: + image: {{ .Values.image.registry | default "docker.io" }}/{{ .Values.image.repository }}:{{ default .Values.image.tag }} + exec: + command: + - /scripts/switchover-without-candidate.sh + scriptSpecSelectors: + - name: apecloud-mysql-scripts + memberJoin: + memberLeave: + readonly: + readwrite: + dataPopulate: + dataAssemble: + accountProvision: + customHandler: + image: {{ .Values.image.registry | default "docker.io" }}/{{ .Values.image.repository }}:{{ .Values.image.tag }} + exec: + command: + - mysql + args: + - -u$(MYSQL_ROOT_USER) + - -p$(MYSQL_ROOT_PASSWORD) + - -h$(KB_ACCOUNT_ENDPOINT) + - -e + - $(KB_ACCOUNT_STATEMENT) + env: + - name: MYSQL_ROOT_USER + valueFrom: + secretKeyRef: + name: $(CONN_CREDENTIAL_SECRET_NAME) + key: username + optional: false + - name: MYSQL_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: $(CONN_CREDENTIAL_SECRET_NAME) + key: password + optional: false \ No newline at end of file diff --git a/addons/apecloud-postgresql/config/pg12-config.tpl b/addons/apecloud-postgresql/config/pg12-config.tpl index 3ec807b36..089dea295 100644 --- a/addons/apecloud-postgresql/config/pg12-config.tpl +++ b/addons/apecloud-postgresql/config/pg12-config.tpl @@ -212,7 +212,7 @@ session_replication_role = 'origin' sql_firewall.firewall = 'disable' shared_buffers = '{{ printf "%d%s" $shared_buffers $buffer_unit }}' # shared_preload_libraries = 'pg_stat_statements,auto_explain,bg_mon,pgextwlist,pg_auth_mon,set_user,pg_cron,pg_stat_kcache' -{{- if $.component.tls }} +{{- if $.component.tlsConfig }} {{- $ca_file := getCAFile }} {{- $cert_file := getCertFile }} {{- $key_file := getKeyFile }} diff --git a/addons/kafka/scripts/kafka-exporter-setup.sh.tpl b/addons/kafka/scripts/kafka-exporter-setup.sh.tpl index 03753c276..07c6d99ce 100644 --- a/addons/kafka/scripts/kafka-exporter-setup.sh.tpl +++ b/addons/kafka/scripts/kafka-exporter-setup.sh.tpl @@ -27,7 +27,7 @@ {{ $servers = trimSuffix " \\\n" $servers}} exec kafka_exporter --web.listen-address=:9308 \ {{- if hasKey $component "tls" }} - {{- if $component.tls }} + {{- if $component.tlsConfig }} --tls.enabled \ {{- end }} {{- end }} diff --git a/addons/kafka/scripts/kafka-server-setup.sh.tpl b/addons/kafka/scripts/kafka-server-setup.sh.tpl index 59ac97f60..17506cd48 100644 --- a/addons/kafka/scripts/kafka-server-setup.sh.tpl +++ b/addons/kafka/scripts/kafka-server-setup.sh.tpl @@ -1,7 +1,7 @@ #!/bin/bash # TLS setting -{{- if $.component.tls }} +{{- if $.component.tlsConfig }} # override TLS and auth settings export KAFKA_TLS_TYPE="PEM" echo "[tls]KAFKA_TLS_TYPE=$KAFKA_TLS_TYPE" diff --git a/addons/official-postgresql/config/pg12-config.tpl b/addons/official-postgresql/config/pg12-config.tpl index 9e25f8c64..24692167d 100644 --- a/addons/official-postgresql/config/pg12-config.tpl +++ b/addons/official-postgresql/config/pg12-config.tpl @@ -221,7 +221,7 @@ session_replication_role = 'origin' sql_firewall.firewall = 'disable' shared_buffers = '{{ printf "%d%s" $shared_buffers $buffer_unit }}' # shared_preload_libraries = 'pg_stat_statements,auto_explain,bg_mon,pgextwlist,pg_auth_mon,set_user,pg_cron,pg_stat_kcache' -{{- if $.component.tls }} +{{- if $.component.tlsConfig }} {{- $ca_file := getCAFile }} {{- $cert_file := getCertFile }} {{- $key_file := getKeyFile }} diff --git a/addons/official-postgresql/config/pg14-config.tpl b/addons/official-postgresql/config/pg14-config.tpl index 41139548e..0cbe077f0 100644 --- a/addons/official-postgresql/config/pg14-config.tpl +++ b/addons/official-postgresql/config/pg14-config.tpl @@ -221,7 +221,7 @@ session_replication_role = 'origin' sql_firewall.firewall = 'disable' shared_buffers = '{{ printf "%d%s" $shared_buffers $buffer_unit }}' # shared_preload_libraries = 'pg_stat_statements,auto_explain,bg_mon,pgextwlist,pg_auth_mon,set_user,pg_cron,pg_stat_kcache' -{{- if $.component.tls }} +{{- if $.component.tlsConfig }} {{- $ca_file := getCAFile }} {{- $cert_file := getCertFile }} {{- $key_file := getKeyFile }} diff --git a/addons/orioledb/config/orioledb-config.tpl b/addons/orioledb/config/orioledb-config.tpl index afc1e8ccd..2f5cacad9 100644 --- a/addons/orioledb/config/orioledb-config.tpl +++ b/addons/orioledb/config/orioledb-config.tpl @@ -212,7 +212,7 @@ session_replication_role = 'origin' sql_firewall.firewall = 'disable' shared_buffers = '{{ printf "%d%s" $shared_buffers $buffer_unit }}' shared_preload_libraries = 'orioledb,pg_stat_statements,auto_explain' -{{- if $.component.tls }} +{{- if $.component.tlsConfig }} {{- $ca_file := getCAFile }} {{- $cert_file := getCertFile }} {{- $key_file := getKeyFile }} diff --git a/addons/postgresql/config/pg12-config.tpl b/addons/postgresql/config/pg12-config.tpl index e1d0831f2..e85cf1e8f 100644 --- a/addons/postgresql/config/pg12-config.tpl +++ b/addons/postgresql/config/pg12-config.tpl @@ -221,7 +221,7 @@ session_replication_role = 'origin' sql_firewall.firewall = 'disable' shared_buffers = '{{ printf "%d%s" $shared_buffers $buffer_unit }}' # shared_preload_libraries = 'pg_stat_statements,auto_explain,bg_mon,pgextwlist,pg_auth_mon,set_user,pg_cron,pg_stat_kcache' -{{- if $.component.tls }} +{{- if $.component.tlsConfig }} {{- $ca_file := getCAFile }} {{- $cert_file := getCertFile }} {{- $key_file := getKeyFile }} diff --git a/addons/postgresql/config/pg14-config.tpl b/addons/postgresql/config/pg14-config.tpl index af3c0854c..f95b88ab2 100644 --- a/addons/postgresql/config/pg14-config.tpl +++ b/addons/postgresql/config/pg14-config.tpl @@ -221,7 +221,7 @@ session_replication_role = 'origin' sql_firewall.firewall = 'disable' shared_buffers = '{{ printf "%d%s" $shared_buffers $buffer_unit }}' # shared_preload_libraries = 'pg_stat_statements,auto_explain,bg_mon,pgextwlist,pg_auth_mon,set_user,pg_cron,pg_stat_kcache' -{{- if $.component.tls }} +{{- if $.component.tlsConfig }} {{- $ca_file := getCAFile }} {{- $cert_file := getCertFile }} {{- $key_file := getKeyFile }} diff --git a/addons/postgresql/templates/componentdefinition-12.yaml b/addons/postgresql/templates/componentdefinition-12.yaml new file mode 100644 index 000000000..3cd17f5cc --- /dev/null +++ b/addons/postgresql/templates/componentdefinition-12.yaml @@ -0,0 +1,402 @@ +apiVersion: apps.kubeblocks.io/v1alpha1 +kind: ComponentDefinition +metadata: + name: postgresql-12 + labels: + {{- include "postgresql.labels" . | nindent 4 }} +spec: + provider: kubeblocks + description: A PostgreSQL (with Patroni HA) component definition for Kubernetes + serviceKind: postgresql + serviceVersion: 12.15.0 + services: + - name: postgresql + serviceName: postgresql + spec: + ports: + - name: tcp-postgresql + port: 5432 + targetPort: tcp-postgresql + - name: tcp-pgbouncer + port: 6432 + targetPort: tcp-pgbouncer + roleSelector: primary + connectionCredentials: + - name: postgres + serviceName: postgresql + portName: tcp-postgresql + accountName: postgres + - name: pgbouncer + serviceName: postgresql + portName: tcp-pgbouncer + accountName: postgres + updateStrategy: BestEffortParallel + volumes: + - name: data + needSnapshot: true + roles: + - name: primary + serviceable: true + writable: true + - name: secondary + serviceable: false + writable: false + labels: + apps.kubeblocks.postgres.patroni/scope: "$(KB_CLUSTER_NAME)-$(KB_COMP_NAME)-patroni$(KB_CLUSTER_UID_POSTFIX_8)" + logConfigs: + {{- range $name,$pattern := .Values.logConfigs }} + - name: {{ $name }} + filePathPattern: {{ $pattern }} + {{- end }} + monitor: + builtIn: false + exporterConfig: + scrapePath: /metrics + scrapePort: {{ .Values.metrics.service.port }} + configs: + - name: postgresql-configuration + templateRef: postgresql-configuration + constraintRef: postgresql14-cc + keys: + - postgresql.conf + namespace: {{ .Release.Namespace }} + volumeName: postgresql-config + defaultMode: 0444 + - name: pgbouncer-configuration + templateRef: pgbouncer-configuration + keys: + - pgbouncer.ini + namespace: {{ .Release.Namespace }} + volumeName: pgbouncer-config + defaultMode: 0444 + - name: postgresql-custom-metrics + templateRef: postgresql14-custom-metrics + namespace: {{ .Release.Namespace }} + volumeName: postgresql-custom-metrics + defaultMode: 0444 + - name: agamotto-configuration + templateRef: postgresql-agamotto-configuration + namespace: {{ .Release.Namespace }} + volumeName: agamotto-configuration + defaultMode: 0444 + scripts: + - name: postgresql-scripts + templateRef: postgresql-scripts + namespace: {{ .Release.Namespace }} + volumeName: scripts + defaultMode: 0555 + systemAccounts: + - name: postgres + initAccount: true + passwordGenerationPolicy: + length: 10 + numDigits: 5 + numSymbols: 0 + letterCase: MixedCases + - name: kbadmin + statement: CREATE USER $(USERNAME) SUPERUSER PASSWORD '$(PASSWD)'; + passwordGenerationPolicy: &defaultPasswdGenerationPolicy + length: 10 + numDigits: 5 + numSymbols: 0 + letterCase: MixedCases + - name: kbdataprotection + statement: CREATE USER $(USERNAME) SUPERUSER PASSWORD '$(PASSWD)'; + passwordGenerationPolicy: *defaultPasswdGenerationPolicy + - name: kbprobe + statement: CREATE USER $(USERNAME) WITH PASSWORD '$(PASSWD)'; GRANT pg_monitor TO $(USERNAME); + passwordGenerationPolicy: *defaultPasswdGenerationPolicy + - name: kbmonitoring + statement: CREATE USER $(USERNAME) WITH PASSWORD '$(PASSWD)'; GRANT pg_monitor TO $(USERNAME); + passwordGenerationPolicy: *defaultPasswdGenerationPolicy + - name: kbreplicator + statement: CREATE USER $(USERNAME) WITH REPLICATION PASSWORD '$(PASSWD)'; + passwordGenerationPolicy: *defaultPasswdGenerationPolicy + lifecycleActions: + roleProbe: + builtinHandler: postgresql + failureThreshold: 2 + periodSeconds: 1 + timeoutSeconds: 1 + switchover: + withCandidate: + image: {{ .Values.image.registry | default "docker.io" }}/{{ .Values.image.repository }}:12.15.0-pgvector-v0.5.0 + exec: + command: + - /bin/bash + - -c + args: + - curl -s http://$(KB_REPLICATION_PRIMARY_POD_FQDN):8008/switchover -XPOST -d '{"leader":"$(KB_REPLICATION_PRIMARY_POD_NAME)","candidate":"$(KB_SWITCHOVER_CANDIDATE_NAME)"}' + withoutCandidate: + image: {{ .Values.image.registry | default "docker.io" }}/{{ .Values.image.repository }}:12.15.0-pgvector-v0.5.0 + exec: + command: + - /bin/bash + - -c + args: + - curl -s http://$(KB_REPLICATION_PRIMARY_POD_FQDN):8008/switchover -XPOST -d '{"leader":"$(KB_REPLICATION_PRIMARY_POD_NAME)"}' + accountProvision: + customHandler: + image: {{ .Values.image.registry | default "docker.io" }}/{{ .Values.image.repository }}:12.15.0-pgvector-v0.5.0 + exec: + command: + - psql + args: + - -h$(KB_ACCOUNT_ENDPOINT) + - -c + - $(KB_ACCOUNT_STATEMENT) + env: + - name: PGUSER + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: username + optional: false + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: password + optional: false + runtime: + securityContext: + runAsUser: 0 + fsGroup: 103 + runAsGroup: 103 + initContainers: + - name: pg-init-container + image: {{ .Values.image.registry | default "docker.io" }}/{{ .Values.image.repository }}:12.15.0-pgvector-v0.5.0 + imagePullPolicy: {{ default .Values.image.pullPolicy "IfNotPresent" }} + command: + - /kb-scripts/init_container.sh + volumeMounts: + - name: data + mountPath: /home/postgres/pgdata + - name: postgresql-config + mountPath: /home/postgres/conf + - name: scripts + mountPath: /kb-scripts + - name: pod-info + mountPath: /kb-podinfo + containers: + - name: postgresql + image: {{ .Values.image.registry | default "docker.io" }}/{{ .Values.image.repository }}:12.15.0-pgvector-v0.5.0 + imagePullPolicy: {{ default .Values.image.pullPolicy "IfNotPresent" }} + securityContext: + runAsUser: 0 + command: + - /kb-scripts/setup.sh + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + exec: + command: + - /bin/sh + - -c + - -ee + - | + exec pg_isready -U {{ default "postgres" | quote }} -h 127.0.0.1 -p 5432 + [ -f /postgresql/tmp/.initialized ] || [ -f /postgresql/.initialized ] + volumeMounts: + - name: dshm + mountPath: /dev/shm + - name: data + mountPath: /home/postgres/pgdata + - name: postgresql-config + mountPath: /home/postgres/conf + - name: scripts + mountPath: /kb-scripts + - name: pod-info + mountPath: /kb-podinfo + ports: + - name: tcp-postgresql + containerPort: 5432 + - name: patroni + containerPort: 8008 + env: ## refer https://github.com/zalando/spilo/blob/master/ENVIRONMENT.rst + - name: DCS_ENABLE_KUBERNETES_API + value: "true" + - name: KUBERNETES_USE_CONFIGMAPS + value: "true" + - name: SCOPE + value: "$(KB_CLUSTER_NAME)-$(KB_COMP_NAME)-patroni$(KB_CLUSTER_UID_POSTFIX_8)" + - name: KUBERNETES_SCOPE_LABEL + value: "apps.kubeblocks.postgres.patroni/scope" + - name: KUBERNETES_ROLE_LABEL + value: "apps.kubeblocks.postgres.patroni/role" + - name: KUBERNETES_LABELS + value: '{"app.kubernetes.io/instance":"$(KB_CLUSTER_NAME)","apps.kubeblocks.io/component-name":"$(KB_COMP_NAME)"}' + - name: RESTORE_DATA_DIR + value: /home/postgres/pgdata/kb_restore + - name: KB_PG_CONFIG_PATH + value: /home/postgres/conf/postgresql.conf + - name: SPILO_CONFIGURATION + value: | ## https://github.com/zalando/patroni#yaml-configuration + bootstrap: + initdb: + - auth-host: md5 + - auth-local: trust + - name: ALLOW_NOSSL + value: "true" + - name: PGROOT + value: /home/postgres/pgdata/pgroot + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: PGUSER_SUPERUSER + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: username + optional: false + - name: PGPASSWORD_SUPERUSER + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: password + optional: false + - name: PGUSER_ADMIN + value: superadmin + - name: PGPASSWORD_ADMIN + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: password + optional: false + - name: PGUSER_STANDBY + value: standby + - name: PGPASSWORD_STANDBY + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: password + optional: false + - name: PGUSER + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: username + optional: false + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: password + optional: false + - name: pgbouncer + image: {{ .Values.pgbouncer.image.registry | default "docker.io" }}/{{ .Values.pgbouncer.image.repository }}:{{ default .Values.pgbouncer.image.tag }} + imagePullPolicy: {{ .Values.pgbouncer.image.pullPolicy | quote }} + securityContext: + runAsUser: 0 + ports: + - name: tcp-pgbouncer + containerPort: 6432 + volumeMounts: + - name: pgbouncer-config + mountPath: /home/pgbouncer/conf + - name: scripts + mountPath: /kb-scripts + command: + - /kb-scripts/pgbouncer_setup.sh + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 15 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + tcpSocket: + port: tcp-pgbouncer + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 15 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + tcpSocket: + port: tcp-pgbouncer + env: + - name: PGBOUNCER_AUTH_TYPE + value: md5 + - name: POSTGRESQL_USERNAME + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: username + optional: false + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: password + optional: false + - name: POSTGRESQL_PORT + value: "5432" + - name: POSTGRESQL_HOST + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: PGBOUNCER_PORT + value: "6432" + - name: PGBOUNCER_BIND_ADDRESS + value: "0.0.0.0" + - name: metrics + image: {{ .Values.metrics.image.registry | default "docker.io" }}/{{ .Values.metrics.image.repository }}:{{ .Values.metrics.image.tag }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + securityContext: + runAsUser: 0 + env: + - name: ENDPOINT + value: {{ printf "127.0.0.1:5432" }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: password + optional: false + - name: DATA_SOURCE_USER + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: username + optional: false + command: + - "/bin/agamotto" + - "--config=/opt/agamotto/agamotto-config.yaml" + ports: + - name: http-metrics + containerPort: {{ .Values.metrics.service.port }} + volumeMounts: + - name: postgresql-custom-metrics + mountPath: /opt/conf + - name: agamotto-configuration + mountPath: /opt/agamotto + volumes: + - name: dshm + emptyDir: + medium: Memory + {{- with .Values.shmVolume.sizeLimit }} + sizeLimit: {{ . }} + {{- end }} + - name: pod-info + downwardAPI: + items: + - path: "pod-role" + fieldRef: + fieldPath: metadata.labels['kubeblocks.io/role'] + - path: "primary-pod" + fieldRef: + fieldPath: metadata.annotations['rs.apps.kubeblocks.io/primary'] + - path: "component-replicas" + fieldRef: + fieldPath: metadata.annotations['apps.kubeblocks.io/component-replicas'] diff --git a/addons/postgresql/templates/componentdefinition-14.yaml b/addons/postgresql/templates/componentdefinition-14.yaml new file mode 100644 index 000000000..199086463 --- /dev/null +++ b/addons/postgresql/templates/componentdefinition-14.yaml @@ -0,0 +1,402 @@ +apiVersion: apps.kubeblocks.io/v1alpha1 +kind: ComponentDefinition +metadata: + name: postgresql-14 + labels: + {{- include "postgresql.labels" . | nindent 4 }} +spec: + provider: kubeblocks + description: A PostgreSQL (with Patroni HA) component definition for Kubernetes + serviceKind: postgresql + serviceVersion: 14.8.0 + services: + - name: postgresql + serviceName: postgresql + spec: + ports: + - name: tcp-postgresql + port: 5432 + targetPort: tcp-postgresql + - name: tcp-pgbouncer + port: 6432 + targetPort: tcp-pgbouncer + roleSelector: primary + connectionCredentials: + - name: postgres + serviceName: postgresql + portName: tcp-postgresql + accountName: postgres + - name: pgbouncer + serviceName: postgresql + portName: tcp-pgbouncer + accountName: postgres + updateStrategy: BestEffortParallel + volumes: + - name: data + needSnapshot: true + roles: + - name: primary + serviceable: true + writable: true + - name: secondary + serviceable: false + writable: false + labels: + apps.kubeblocks.postgres.patroni/scope: "$(KB_CLUSTER_NAME)-$(KB_COMP_NAME)-patroni$(KB_CLUSTER_UID_POSTFIX_8)" + logConfigs: + {{- range $name,$pattern := .Values.logConfigs }} + - name: {{ $name }} + filePathPattern: {{ $pattern }} + {{- end }} + monitor: + builtIn: false + exporterConfig: + scrapePath: /metrics + scrapePort: {{ .Values.metrics.service.port }} + configs: + - name: postgresql-configuration + templateRef: postgresql-configuration + constraintRef: postgresql14-cc + keys: + - postgresql.conf + namespace: {{ .Release.Namespace }} + volumeName: postgresql-config + defaultMode: 0444 + - name: pgbouncer-configuration + templateRef: pgbouncer-configuration + keys: + - pgbouncer.ini + namespace: {{ .Release.Namespace }} + volumeName: pgbouncer-config + defaultMode: 0444 + - name: postgresql-custom-metrics + templateRef: postgresql14-custom-metrics + namespace: {{ .Release.Namespace }} + volumeName: postgresql-custom-metrics + defaultMode: 0444 + - name: agamotto-configuration + templateRef: postgresql-agamotto-configuration + namespace: {{ .Release.Namespace }} + volumeName: agamotto-configuration + defaultMode: 0444 + scripts: + - name: postgresql-scripts + templateRef: postgresql-scripts + namespace: {{ .Release.Namespace }} + volumeName: scripts + defaultMode: 0555 + systemAccounts: + - name: postgres + initAccount: true + passwordGenerationPolicy: + length: 10 + numDigits: 5 + numSymbols: 0 + letterCase: MixedCases + - name: kbadmin + statement: CREATE USER $(USERNAME) SUPERUSER PASSWORD '$(PASSWD)'; + passwordGenerationPolicy: &defaultPasswdGenerationPolicy + length: 10 + numDigits: 5 + numSymbols: 0 + letterCase: MixedCases + - name: kbdataprotection + statement: CREATE USER $(USERNAME) SUPERUSER PASSWORD '$(PASSWD)'; + passwordGenerationPolicy: *defaultPasswdGenerationPolicy + - name: kbprobe + statement: CREATE USER $(USERNAME) WITH PASSWORD '$(PASSWD)'; GRANT pg_monitor TO $(USERNAME); + passwordGenerationPolicy: *defaultPasswdGenerationPolicy + - name: kbmonitoring + statement: CREATE USER $(USERNAME) WITH PASSWORD '$(PASSWD)'; GRANT pg_monitor TO $(USERNAME); + passwordGenerationPolicy: *defaultPasswdGenerationPolicy + - name: kbreplicator + statement: CREATE USER $(USERNAME) WITH REPLICATION PASSWORD '$(PASSWD)'; + passwordGenerationPolicy: *defaultPasswdGenerationPolicy + lifecycleActions: + roleProbe: + builtinHandler: postgresql + failureThreshold: 2 + periodSeconds: 1 + timeoutSeconds: 1 + switchover: + withCandidate: + image: {{ .Values.image.registry | default "docker.io" }}/{{ .Values.image.repository }}:14.8.0-pgvector-v0.5.0 + exec: + command: + - /bin/bash + - -c + args: + - curl -s http://$(KB_REPLICATION_PRIMARY_POD_FQDN):8008/switchover -XPOST -d '{"leader":"$(KB_REPLICATION_PRIMARY_POD_NAME)","candidate":"$(KB_SWITCHOVER_CANDIDATE_NAME)"}' + withoutCandidate: + image: {{ .Values.image.registry | default "docker.io" }}/{{ .Values.image.repository }}:14.8.0-pgvector-v0.5.0 + exec: + command: + - /bin/bash + - -c + args: + - curl -s http://$(KB_REPLICATION_PRIMARY_POD_FQDN):8008/switchover -XPOST -d '{"leader":"$(KB_REPLICATION_PRIMARY_POD_NAME)"}' + accountProvision: + customHandler: + image: {{ .Values.image.registry | default "docker.io" }}/{{ .Values.image.repository }}:14.8.0-pgvector-v0.5.0 + exec: + command: + - psql + args: + - -h$(KB_ACCOUNT_ENDPOINT) + - -c + - $(KB_ACCOUNT_STATEMENT) + env: + - name: PGUSER + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: username + optional: false + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: password + optional: false + runtime: + securityContext: + runAsUser: 0 + fsGroup: 103 + runAsGroup: 103 + initContainers: + - name: pg-init-container + image: {{ .Values.image.registry | default "docker.io" }}/{{ .Values.image.repository }}:14.8.0-pgvector-v0.5.0 + imagePullPolicy: {{ default .Values.image.pullPolicy "IfNotPresent" }} + command: + - /kb-scripts/init_container.sh + volumeMounts: + - name: data + mountPath: /home/postgres/pgdata + - name: postgresql-config + mountPath: /home/postgres/conf + - name: scripts + mountPath: /kb-scripts + - name: pod-info + mountPath: /kb-podinfo + containers: + - name: postgresql + image: {{ .Values.image.registry | default "docker.io" }}/{{ .Values.image.repository }}:14.8.0-pgvector-v0.5.0 + imagePullPolicy: {{ default .Values.image.pullPolicy "IfNotPresent" }} + securityContext: + runAsUser: 0 + command: + - /kb-scripts/setup.sh + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + exec: + command: + - /bin/sh + - -c + - -ee + - | + exec pg_isready -U {{ default "postgres" | quote }} -h 127.0.0.1 -p 5432 + [ -f /postgresql/tmp/.initialized ] || [ -f /postgresql/.initialized ] + volumeMounts: + - name: dshm + mountPath: /dev/shm + - name: data + mountPath: /home/postgres/pgdata + - name: postgresql-config + mountPath: /home/postgres/conf + - name: scripts + mountPath: /kb-scripts + - name: pod-info + mountPath: /kb-podinfo + ports: + - name: tcp-postgresql + containerPort: 5432 + - name: patroni + containerPort: 8008 + env: ## refer https://github.com/zalando/spilo/blob/master/ENVIRONMENT.rst + - name: DCS_ENABLE_KUBERNETES_API + value: "true" + - name: KUBERNETES_USE_CONFIGMAPS + value: "true" + - name: SCOPE + value: "$(KB_CLUSTER_NAME)-$(KB_COMP_NAME)-patroni$(KB_CLUSTER_UID_POSTFIX_8)" + - name: KUBERNETES_SCOPE_LABEL + value: "apps.kubeblocks.postgres.patroni/scope" + - name: KUBERNETES_ROLE_LABEL + value: "apps.kubeblocks.postgres.patroni/role" + - name: KUBERNETES_LABELS + value: '{"app.kubernetes.io/instance":"$(KB_CLUSTER_NAME)","apps.kubeblocks.io/component-name":"$(KB_COMP_NAME)"}' + - name: RESTORE_DATA_DIR + value: /home/postgres/pgdata/kb_restore + - name: KB_PG_CONFIG_PATH + value: /home/postgres/conf/postgresql.conf + - name: SPILO_CONFIGURATION + value: | ## https://github.com/zalando/patroni#yaml-configuration + bootstrap: + initdb: + - auth-host: md5 + - auth-local: trust + - name: ALLOW_NOSSL + value: "true" + - name: PGROOT + value: /home/postgres/pgdata/pgroot + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: PGUSER_SUPERUSER + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: username + optional: false + - name: PGPASSWORD_SUPERUSER + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: password + optional: false + - name: PGUSER_ADMIN + value: superadmin + - name: PGPASSWORD_ADMIN + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: password + optional: false + - name: PGUSER_STANDBY + value: standby + - name: PGPASSWORD_STANDBY + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: password + optional: false + - name: PGUSER + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: username + optional: false + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: password + optional: false + - name: pgbouncer + image: {{ .Values.pgbouncer.image.registry | default "docker.io" }}/{{ .Values.pgbouncer.image.repository }}:{{ default .Values.pgbouncer.image.tag }} + imagePullPolicy: {{ .Values.pgbouncer.image.pullPolicy | quote }} + securityContext: + runAsUser: 0 + ports: + - name: tcp-pgbouncer + containerPort: 6432 + volumeMounts: + - name: pgbouncer-config + mountPath: /home/pgbouncer/conf + - name: scripts + mountPath: /kb-scripts + command: + - /kb-scripts/pgbouncer_setup.sh + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 15 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + tcpSocket: + port: tcp-pgbouncer + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 15 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + tcpSocket: + port: tcp-pgbouncer + env: + - name: PGBOUNCER_AUTH_TYPE + value: md5 + - name: POSTGRESQL_USERNAME + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: username + optional: false + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: password + optional: false + - name: POSTGRESQL_PORT + value: "5432" + - name: POSTGRESQL_HOST + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: PGBOUNCER_PORT + value: "6432" + - name: PGBOUNCER_BIND_ADDRESS + value: "0.0.0.0" + - name: metrics + image: {{ .Values.metrics.image.registry | default "docker.io" }}/{{ .Values.metrics.image.repository }}:{{ .Values.metrics.image.tag }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + securityContext: + runAsUser: 0 + env: + - name: ENDPOINT + value: {{ printf "127.0.0.1:5432" }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: password + optional: false + - name: DATA_SOURCE_USER + valueFrom: + secretKeyRef: + name: $(COMPONENT_CONN_CREDENTIAL_SECRET_NAME)-postgres + key: username + optional: false + command: + - "/bin/agamotto" + - "--config=/opt/agamotto/agamotto-config.yaml" + ports: + - name: http-metrics + containerPort: {{ .Values.metrics.service.port }} + volumeMounts: + - name: postgresql-custom-metrics + mountPath: /opt/conf + - name: agamotto-configuration + mountPath: /opt/agamotto + volumes: + - name: dshm + emptyDir: + medium: Memory + {{- with .Values.shmVolume.sizeLimit }} + sizeLimit: {{ . }} + {{- end }} + - name: pod-info + downwardAPI: + items: + - path: "pod-role" + fieldRef: + fieldPath: metadata.labels['kubeblocks.io/role'] + - path: "primary-pod" + fieldRef: + fieldPath: metadata.annotations['rs.apps.kubeblocks.io/primary'] + - path: "component-replicas" + fieldRef: + fieldPath: metadata.annotations['apps.kubeblocks.io/component-replicas']