Skip to content

Commit

Permalink
cleanup knps:
Browse files Browse the repository at this point in the history
  • Loading branch information
kuanfandevops committed Apr 26, 2024
1 parent 61368a1 commit 46111d1
Show file tree
Hide file tree
Showing 9 changed files with 437 additions and 278 deletions.
22 changes: 22 additions & 0 deletions openshift/templates/backup-container-2.6.1/cronjob.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Cronjob prerequisites
Backup PVC: backup
KNP: allow CronJob to connect to Spilo

# Create database backup cronjob
oc process -f ./db-backup-cronjob-2.6.1.yaml \
JOB_NAME=cthub-db-backup \
JOB_PERSISTENT_STORAGE_NAME=backup \
SCHEDULE="00 07,21 * * *" \
TAG_NAME=2.6.1 \
DATABASE_SERVICE_NAME=cthub-test-crunchy-replicas \
DATABASE_DEFAULT_PORT=5432 \
DATABASE_NAME=cthub \
DATABASE_DEPLOYMENT_NAME=cthub-patroni-app \
DATABASE_USER_KEY_NAME=app-db-username \
DATABASE_PASSWORD_KEY_NAME=app-db-password \
BACKUP_STRATEGY=rolling \
BACKUP_DIR=/backups \
DAILY_BACKUPS=30 \
WEEKLY_BACKUPS=8 \
MONTHLY_BACKUPS=2 | oc apply -f - -n 30b186-test

Original file line number Diff line number Diff line change
@@ -0,0 +1,253 @@
---
kind: "Template"
apiVersion: "template.openshift.io/v1"
metadata:
name: "{$JOB_NAME}-cronjob-template"
annotations:
description: "Scheduled Task to perform a Database Backup"
tags: "cronjob,backup"
parameters:
- name: "JOB_NAME"
displayName: "Job Name"
description: "Name of the Scheduled Job to Create."
value: "backup-postgres"
required: true
- name: "JOB_PERSISTENT_STORAGE_NAME"
displayName: "Backup Persistent Storage Name"
description: "Pre-Created PVC to use for backup target"
value: "bk-devex-von-tools-a9vlgd1jpsg1"
required: true
- name: "SCHEDULE"
displayName: "Cron Schedule"
description: "Cron Schedule to Execute the Job (using local cluster system TZ)"
# Currently targeting 1:00 AM Daily
value: "0 1 * * *"
required: true
- name: "SOURCE_IMAGE_NAME"
displayName: "Source Image Name"
description: "The name of the image to use for this resource."
required: true
value: "backup-container"
- name: "IMAGE_REGISTRY"
description: "The base OpenShift docker registry"
displayName: "Docker Image Registry"
required: true
# Set value to "docker-registry.default.svc:5000" if using OCP3
value: "docker.io"
- name: "IMAGE_NAMESPACE"
displayName: "Image Namespace"
description: "The namespace of the OpenShift project containing the imagestream for the application."
required: true
value: "bcgovimages"
- name: "TAG_NAME"
displayName: "Environment TAG name"
description: "The TAG name for this environment, e.g., dev, test, prod"
required: true
value: "dev"
- name: "DATABASE_SERVICE_NAME"
displayName: "Database Service Name"
description: "The name of the database service."
required: true
value: "postgresql"
- name: "DATABASE_DEFAULT_PORT"
displayName: "Database Service Port"
description: "The configured port for the database service"
required: true
value: "5432"
- name: "DATABASE_NAME"
displayName: "Database Name"
description: "The name of the database."
required: true
value: "MyDatabase"
- name: "DATABASE_DEPLOYMENT_NAME"
displayName: "Database Deployment Name"
description: "The name associated to the database deployment resources. In particular, this is used to wire up the credentials associated to the database."
required: true
value: "postgresql"
- name: DATABASE_USER_KEY_NAME
displayName: Database User Key Name
description:
The database user key name stored in database deployment resources specified
by DATABASE_DEPLOYMENT_NAME.
required: true
value: database-user
- name: DATABASE_PASSWORD_KEY_NAME
displayName: Database Password Key Name
description:
The database password key name stored in database deployment resources
specified by DATABASE_DEPLOYMENT_NAME.
required: true
value: database-password
- name: "BACKUP_STRATEGY"
displayName: "Backup Strategy"
description: "The strategy to use for backups; for example daily, or rolling."
required: true
value: "rolling"
- name: "BACKUP_DIR"
displayName: "The root backup directory"
description: "The name of the root backup directory"
required: true
value: "/backups/"
- name: "NUM_BACKUPS"
displayName: "The number of backup files to be retained"
description: "The number of backup files to be retained. Used for the `daily` backup strategy. Ignored when using the `rolling` backup strategy."
required: false
value: "5"
- name: "DAILY_BACKUPS"
displayName: "Number of Daily Backups to Retain"
description: "The number of daily backup files to be retained. Used for the `rolling` backup strategy."
required: false
value: "7"
- name: "WEEKLY_BACKUPS"
displayName: "Number of Weekly Backups to Retain"
description: "The number of weekly backup files to be retained. Used for the `rolling` backup strategy."
required: false
value: "4"
- name: "MONTHLY_BACKUPS"
displayName: "Number of Monthly Backups to Retain"
description: "The number of monthly backup files to be retained. Used for the `rolling` backup strategy."
required: false
value: "1"
- name: "JOB_SERVICE_ACCOUNT"
displayName: "Service Account Name"
description: "Name of the Service Account To Exeucte the Job As."
value: "default"
required: true
- name: "SUCCESS_JOBS_HISTORY_LIMIT"
displayName: "Successful Job History Limit"
description: "The number of successful jobs that will be retained"
value: "5"
required: true
- name: "FAILED_JOBS_HISTORY_LIMIT"
displayName: "Failed Job History Limit"
description: "The number of failed jobs that will be retained"
value: "2"
required: true
- name: "JOB_BACKOFF_LIMIT"
displayName: "Job Backoff Limit"
description: "The number of attempts to try for a successful job outcome"
value: "0"
required: false
objects:
- kind: ConfigMap
apiVersion: v1
metadata:
name: "${JOB_NAME}-config"
labels:
template: "${JOB_NAME}-config-template"
cronjob: "${JOB_NAME}"
data:
DATABASE_SERVICE_NAME: "${DATABASE_SERVICE_NAME}"
DEFAULT_PORT: "${DATABASE_DEFAULT_PORT}"
POSTGRESQL_DATABASE: "${DATABASE_NAME}"
# BACKUP_STRATEGY: "daily"
BACKUP_STRATEGY: "rolling"
RETENTION.NUM_BACKUPS: "${NUM_BACKUPS}"
RETENTION.DAILY_BACKUPS: "${DAILY_BACKUPS}"
RETENTION.WEEKLY_BACKUPS: "${WEEKLY_BACKUPS}"
RETENTION.MONTHLY_BACKUPS: "${MONTHLY_BACKUPS}"

- kind: "CronJob"
apiVersion: "batch/v1"
metadata:
name: "${JOB_NAME}"
labels:
template: "${JOB_NAME}-cronjob"
cronjob: "${JOB_NAME}"
spec:
schedule: "${SCHEDULE}"
concurrencyPolicy: "Forbid"
successfulJobsHistoryLimit: "${{SUCCESS_JOBS_HISTORY_LIMIT}}"
failedJobsHistoryLimit: "${{FAILED_JOBS_HISTORY_LIMIT}}"
jobTemplate:
metadata:
labels:
template: "${JOB_NAME}-job"
cronjob: "${JOB_NAME}"
spec:
backoffLimit: ${{JOB_BACKOFF_LIMIT}}
template:
metadata:
labels:
template: "${JOB_NAME}-job"
cronjob: "${JOB_NAME}"
spec:
containers:
- name: "${JOB_NAME}-cronjob"
image: "${IMAGE_REGISTRY}/${IMAGE_NAMESPACE}/${SOURCE_IMAGE_NAME}:${TAG_NAME}"
# image: backup
command:
- "/bin/bash"
- "-c"
- "/backup.sh -1"
volumeMounts:
- mountPath: "${BACKUP_DIR}"
name: "backup"
env:
- name: BACKUP_DIR
value: "${BACKUP_DIR}/db-backups-by-cron/"
- name: BACKUP_STRATEGY
valueFrom:
configMapKeyRef:
name: "${JOB_NAME}-config"
key: BACKUP_STRATEGY
- name: NUM_BACKUPS
valueFrom:
configMapKeyRef:
name: "${JOB_NAME}-config"
key: RETENTION.NUM_BACKUPS
optional: true
- name: DAILY_BACKUPS
valueFrom:
configMapKeyRef:
name: "${JOB_NAME}-config"
key: RETENTION.DAILY_BACKUPS
optional: true
- name: WEEKLY_BACKUPS
valueFrom:
configMapKeyRef:
name: "${JOB_NAME}-config"
key: RETENTION.WEEKLY_BACKUPS
optional: true
- name: MONTHLY_BACKUPS
valueFrom:
configMapKeyRef:
name: "${JOB_NAME}-config"
key: RETENTION.MONTHLY_BACKUPS
optional: true
- name: DATABASE_SERVICE_NAME
valueFrom:
configMapKeyRef:
name: "${JOB_NAME}-config"
key: DATABASE_SERVICE_NAME
- name: DEFAULT_PORT
valueFrom:
configMapKeyRef:
name: "${JOB_NAME}-config"
key: DEFAULT_PORT
optional: true
- name: POSTGRESQL_DATABASE
valueFrom:
configMapKeyRef:
name: "${JOB_NAME}-config"
key: POSTGRESQL_DATABASE
- name: DATABASE_USER
valueFrom:
secretKeyRef:
name: "${DATABASE_DEPLOYMENT_NAME}"
key: "${DATABASE_USER_KEY_NAME}"
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: "${DATABASE_DEPLOYMENT_NAME}"
key: "${DATABASE_PASSWORD_KEY_NAME}"
volumes:
- name: backup
persistentVolumeClaim:
claimName: "${JOB_PERSISTENT_STORAGE_NAME}"
restartPolicy: "Never"
terminationGracePeriodSeconds: 30
activeDeadlineSeconds: 1600
dnsPolicy: "ClusterFirst"
serviceAccountName: "${JOB_SERVICE_ACCOUNT}"
serviceAccount: "${JOB_SERVICE_ACCOUNT}"
Original file line number Diff line number Diff line change
Expand Up @@ -6,17 +6,6 @@ labels:
metadata:
name: cthub-network-policy
objects:
## Base Network Policies
- kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: deny-by-default
spec:
# The default posture for a security first namespace is to
# deny all traffic. If not added this rule will be added
# by Platform Services during environment cut-over.
podSelector: {}
ingress: []
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
Expand Down
72 changes: 72 additions & 0 deletions openshift/templates/knp/2-allow-crunchy-accept.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
---
apiVersion: template.openshift.io/v1
kind: Template
labels:
template: cthub-network-policy
metadata:
name: allow-crunchy-accept
parameters:
- name: ENVIRONMENT
displayName: null
description: such as dev, test or prod
required: true
objects:
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-crunchy-accept
spec:
podSelector:
matchLabels:
postgres-operator.crunchydata.com/cluster: cthub-${ENVIRONMENT}-crunchy
ingress:
- from:
- podSelector:
matchLabels:
postgres-operator.crunchydata.com/cluster: cthub-${ENVIRONMENT}-crunchy
- ports:
- protocol: TCP
port: 5432
from:
- podSelector:
matchLabels:
app.kubernetes.io/instance: cthub-${ENVIRONMENT}
app.kubernetes.io/name: backend
- ports:
- protocol: TCP
port: 5432
from:
- podSelector:
matchLabels:
openshift.io/deployer-pod.type: hook-mid
- ports:
- protocol: TCP
port: 5432
from:
- podSelector:
matchLabels:
cronjob: cthub-db-backup
- ports:
- protocol: TCP
port: 9187
from:
- namespaceSelector:
matchLabels:
environment: tools
name: 0ab226
- podSelector:
matchLabels:
name: crunchy-prometheus
- ports:
- protocol: TCP
port: 5432
from:
- namespaceSelector:
matchLabels:
environment: ${ENVIRONMENT}
name: 30b186
- podSelector:
matchLabels:
app: metabase
policyTypes:
- Ingress
Loading

0 comments on commit 46111d1

Please sign in to comment.