From 19fd925b3a0595f75217cc024943310ffe6a715a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=98eho=C5=99?= Date: Fri, 17 May 2024 22:31:47 +0200 Subject: [PATCH] add cloudnative-pg --- .github/renovate/versioning.json5 | 7 ++ .../cloudnative-pg/app/helmrelease.yaml | 34 ++++++ .../cloudnative-pg/app/kustomization.yaml | 10 ++ .../database/cloudnative-pg/app/role.yaml | 21 ++++ .../cloudnative-pg/app/rolebinding.yaml | 13 +++ .../cloudnative-pg/app/secret.sops.yaml | 61 +++++++++++ .../cloudnative-pg/cluster/cluster16.yaml | 100 ++++++++++++++++++ .../cloudnative-pg/cluster/imagecatalog.yaml | 10 ++ .../cloudnative-pg/cluster/kustomization.yaml | 9 ++ .../cluster/prometheusrule.yaml | 67 ++++++++++++ .../cluster/scheduledbackup.yaml | 12 +++ .../main/apps/database/cloudnative-pg/ks.yaml | 44 ++++++++ .../main/apps/database/kustomization.yaml | 6 ++ kubernetes/main/apps/database/namespace.yaml | 7 ++ .../stores/kustomization.yaml | 1 + .../postgres-secrets/clustersecretstore.yaml | 19 ++++ .../postgres-secrets/kustomization.yaml | 7 ++ .../postgres-secrets/serviceaccount.yaml | 5 + .../openebs/app/local-database-sc.yaml | 3 +- .../repositories/helm/cloudnative-pg.yaml | 10 ++ .../flux/repositories/helm/kustomization.yaml | 1 + .../openebs/app/local-database-sc.yaml | 2 +- 22 files changed, 447 insertions(+), 2 deletions(-) create mode 100644 kubernetes/main/apps/database/cloudnative-pg/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/database/cloudnative-pg/app/kustomization.yaml create mode 100644 kubernetes/main/apps/database/cloudnative-pg/app/role.yaml create mode 100644 kubernetes/main/apps/database/cloudnative-pg/app/rolebinding.yaml create mode 100644 kubernetes/main/apps/database/cloudnative-pg/app/secret.sops.yaml create mode 100644 kubernetes/main/apps/database/cloudnative-pg/cluster/cluster16.yaml create mode 100644 kubernetes/main/apps/database/cloudnative-pg/cluster/imagecatalog.yaml create mode 100644 kubernetes/main/apps/database/cloudnative-pg/cluster/kustomization.yaml create mode 100644 kubernetes/main/apps/database/cloudnative-pg/cluster/prometheusrule.yaml create mode 100644 kubernetes/main/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml create mode 100644 kubernetes/main/apps/database/cloudnative-pg/ks.yaml create mode 100644 kubernetes/main/apps/database/kustomization.yaml create mode 100644 kubernetes/main/apps/database/namespace.yaml create mode 100644 kubernetes/main/apps/security/external-secrets/stores/postgres-secrets/clustersecretstore.yaml create mode 100644 kubernetes/main/apps/security/external-secrets/stores/postgres-secrets/kustomization.yaml create mode 100644 kubernetes/main/apps/security/external-secrets/stores/postgres-secrets/serviceaccount.yaml create mode 100644 kubernetes/main/flux/repositories/helm/cloudnative-pg.yaml diff --git a/.github/renovate/versioning.json5 b/.github/renovate/versioning.json5 index c7cca877..f99c798e 100644 --- a/.github/renovate/versioning.json5 +++ b/.github/renovate/versioning.json5 @@ -6,6 +6,13 @@ "matchDatasources": ["github-releases"], "versioning": "regex:^v(?\\d+)\\.(?\\d+)\\.(?\\d+)(?\\+k.s)\\.?(?\\d+)$", "matchPackagePatterns": ["k3s"] + }, + { + "description": ["Use custom versioning for TimescaleDB"], + "matchDatasources": ["docker"], + // https://docs.renovatebot.com/modules/versioning/#regular-expression-versioning + "versioning": "regex:^(?\\d+)(-(?\\d+)\\.(?\\d+)(-(?\\d+))?)?$", + "matchPackagePatterns": ["timescaledb"] } ] } diff --git a/kubernetes/main/apps/database/cloudnative-pg/app/helmrelease.yaml b/kubernetes/main/apps/database/cloudnative-pg/app/helmrelease.yaml new file mode 100644 index 00000000..ef778a28 --- /dev/null +++ b/kubernetes/main/apps/database/cloudnative-pg/app/helmrelease.yaml @@ -0,0 +1,34 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: cloudnative-pg +spec: + interval: 30m + chart: + spec: + chart: cloudnative-pg + version: 0.21.2 + sourceRef: + kind: HelmRepository + name: cloudnative-pg + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + dependsOn: + - name: openebs + namespace: storage + values: + crds: + create: true + monitoring: + podMonitorEnabled: false + # grafanaDashboard: + # create: true diff --git a/kubernetes/main/apps/database/cloudnative-pg/app/kustomization.yaml b/kubernetes/main/apps/database/cloudnative-pg/app/kustomization.yaml new file mode 100644 index 00000000..1d31960f --- /dev/null +++ b/kubernetes/main/apps/database/cloudnative-pg/app/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml + - ./role.yaml + - ./rolebinding.yaml + - ./secret.sops.yaml + + diff --git a/kubernetes/main/apps/database/cloudnative-pg/app/role.yaml b/kubernetes/main/apps/database/cloudnative-pg/app/role.yaml new file mode 100644 index 00000000..00aef4ac --- /dev/null +++ b/kubernetes/main/apps/database/cloudnative-pg/app/role.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: postgres-secrets-manager +rules: + - apiGroups: [""] + resources: + - secrets + resourceNames: + - postgres-secret + verbs: + - get + - list + - watch + - apiGroups: + - authorization.k8s.io + resources: + - selfsubjectrulesreviews + verbs: + - create diff --git a/kubernetes/main/apps/database/cloudnative-pg/app/rolebinding.yaml b/kubernetes/main/apps/database/cloudnative-pg/app/rolebinding.yaml new file mode 100644 index 00000000..8ff950fe --- /dev/null +++ b/kubernetes/main/apps/database/cloudnative-pg/app/rolebinding.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: postgres-secrets-manager-binding +subjects: + - kind: ServiceAccount + name: postgres-secrets-manager + namespace: security +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: postgres-secrets-manager diff --git a/kubernetes/main/apps/database/cloudnative-pg/app/secret.sops.yaml b/kubernetes/main/apps/database/cloudnative-pg/app/secret.sops.yaml new file mode 100644 index 00000000..981aa66f --- /dev/null +++ b/kubernetes/main/apps/database/cloudnative-pg/app/secret.sops.yaml @@ -0,0 +1,61 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cloudnative-pg-secret +type: kubernetes.io/basic-auth +stringData: + username: ENC[AES256_GCM,data:kwuEGDkR85g=,iv:9ShWFqwYrbqLQtTYOGbfACdC4qJOkuS99kJqDvgDPpQ=,tag:bpa6Q27d1DLQILess4eZAw==,type:str] + password: ENC[AES256_GCM,data:ln9wP53YPAKl3QehDnhKpeM=,iv:qa3iqMtvf9ONTY+yqnmwxRrB/hvqq0h2EZG5duWcZ5A=,tag:dpbuMt1u0HWspzVbSO7L3g==,type:str] + MINIO_ACCESS_KEY: ENC[AES256_GCM,data:VdeOLuCKGDZaOk5W1uWhrcWuL2Y=,iv:TH99+jRIIcKjTLJskGmVc1n9USTqtni67UAMb8yXtPA=,tag:o6POe/jIzyYZt72NIYEHzQ==,type:str] + MINIO_SECRET_KEY: ENC[AES256_GCM,data:Jzls9LA5BZifOvlQonAd1NIHiBhOr8r9/gHEaP79IcS4q45rbhIjLA==,iv:QF4yaWKCQMLI8vFZ9no89o0/g020X+I8MWkdtN+rpxI=,tag:tF4mhbx93OAHrNq4CO4AsQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ve9kzacrwq7l9l0emvs326uk6t576d75r596e083r2tq6xu28qcsacy3s7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4a2pOK1plN0FLMHk2MXRo + OUpPWTVKbDVqVlZxOXJodzMwNmNRV2x1OGhJCnFOaWVUdnRpQjNPb09rUkIyUXpK + L29LU3B0bjR0VzBXSGNmSElNK2QyNWcKLS0tIERWNml6d1lJNzVXYWhteUFucHhL + SG1pSlhtOWZBU0hnMktiZWFyZ1B3b0UKX32ll3xgJig7u0zDqEuK9D+sGzyYqKWK + 3zIGbgw2qvrflTlMLsygBV4ARdu9AMDptpTR+v7vvFnf89S/XNwouQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-17T20:24:06Z" + mac: ENC[AES256_GCM,data:NcSDGftDUn/3BRZHfYa1XT6hFqjmRubGeezG2GC5ILs1/ux5lRp7xUsJfJxKf8D3VGkRD72zvUcpVRw0rqhSa8vUdSBGFMdTqhCENzc6B3vklxWV+7iZWeLRyseWUJCP62/6Wgzh5EDTQwN8D/kthaHHvA6XrBfdXV5wZSq1DJU=,iv:CKl14PEKOLsypFhQneaMXYJ60WuUURLtCD/S+D0+k+Y=,tag:FI0CXfeDgkMALNsU7jdTfw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 +--- +apiVersion: v1 +kind: Secret +metadata: + name: postgres-secret +type: kubernetes.io/basic-auth +stringData: + username: ENC[AES256_GCM,data:N8SlMYLWsAI9RTGWBJj0oNBP/g==,iv:UGEHvyWpfcIjzrubffep1JJdI3al9cC6+sewefx2zHU=,tag:1800GlqKnH1yIuD6jliqaw==,type:str] + password: ENC[AES256_GCM,data:udzMynD5jztx1bYvPdezr8XmPMSQt/bI5+p5zVHo6ipij0do0+cRvA==,iv:P+dckwsgaUXuuM8hDPhSCuNvMUjroHdYeHrqLlXLhTo=,tag:/o7g3iNaWVSQaFmfeLI70g==,type:str] + host: ENC[AES256_GCM,data:UQtn0cZoWscc9b1Tt4C5ZBE6dOzXHKkRy9rIcu/aWqEsXOhe943qIw==,iv:UsVqgNSTPbs5/jYqpYRQsE+mayBqOjik3rVTZFBsO3A=,tag:Y3gf4HukwFVnXQ9FhRDs9g==,type:str] + port: ENC[AES256_GCM,data:JnkJKw==,iv:keOcc7ZunSu6+xNwUGr5VZz7zFqeKkGuGRSXJIn3+wk=,tag:QoOQ4An6PPo9nQsZIcIG3Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ve9kzacrwq7l9l0emvs326uk6t576d75r596e083r2tq6xu28qcsacy3s7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4a2pOK1plN0FLMHk2MXRo + OUpPWTVKbDVqVlZxOXJodzMwNmNRV2x1OGhJCnFOaWVUdnRpQjNPb09rUkIyUXpK + L29LU3B0bjR0VzBXSGNmSElNK2QyNWcKLS0tIERWNml6d1lJNzVXYWhteUFucHhL + SG1pSlhtOWZBU0hnMktiZWFyZ1B3b0UKX32ll3xgJig7u0zDqEuK9D+sGzyYqKWK + 3zIGbgw2qvrflTlMLsygBV4ARdu9AMDptpTR+v7vvFnf89S/XNwouQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-17T20:24:06Z" + mac: ENC[AES256_GCM,data:NcSDGftDUn/3BRZHfYa1XT6hFqjmRubGeezG2GC5ILs1/ux5lRp7xUsJfJxKf8D3VGkRD72zvUcpVRw0rqhSa8vUdSBGFMdTqhCENzc6B3vklxWV+7iZWeLRyseWUJCP62/6Wgzh5EDTQwN8D/kthaHHvA6XrBfdXV5wZSq1DJU=,iv:CKl14PEKOLsypFhQneaMXYJ60WuUURLtCD/S+D0+k+Y=,tag:FI0CXfeDgkMALNsU7jdTfw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/kubernetes/main/apps/database/cloudnative-pg/cluster/cluster16.yaml b/kubernetes/main/apps/database/cloudnative-pg/cluster/cluster16.yaml new file mode 100644 index 00000000..86d61706 --- /dev/null +++ b/kubernetes/main/apps/database/cloudnative-pg/cluster/cluster16.yaml @@ -0,0 +1,100 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/postgresql.cnpg.io/cluster_v1.json +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: postgres16 +spec: + instances: 3 + imageCatalogRef: + apiGroup: postgresql.cnpg.io + kind: ImageCatalog + name: timescaledb + major: 16 + primaryUpdateStrategy: unsupervised + storage: + size: 10Gi + storageClass: local-database + superuserSecret: + name: cloudnative-pg-secret + enableSuperuserAccess: true + postgresql: + parameters: + max_connections: "400" + shared_buffers: "256MB" + # ZFS tuning + # https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/Workload%20Tuning.html#postgresql + # https://vadosware.io/post/everything-ive-seen-on-optimizing-postgres-on-zfs-on-linux/ + # https://kubeblocks.io/blog/A-testing-report-for-optimizing-PG-performance-on-Kubernetes + # https://github.com/cloudnative-pg/cloudnative-pg/discussions/3058 + # full_page_writes: "off" + recovery_prefetch: "try" + wal_init_zero: "off" + wal_recycle: "off" + wal_segment_size: "1024" + shared_preload_libraries: + - timescaledb + nodeMaintenanceWindow: + inProgress: false + reusePVC: true + resources: + requests: + cpu: 100m + limits: + memory: 4Gi + monitoring: + enablePodMonitor: true + # https://github.com/cloudnative-pg/cloudnative-pg/issues/2501 + podMonitorMetricRelabelings: + - { sourceLabels: ["cluster"], targetLabel: cnpg_cluster, action: replace } + - { regex: cluster, action: labeldrop } + # backup: + # retentionPolicy: 30d + # barmanObjectStore: &barmanObjectStore + # data: + # compression: bzip2 + # wal: + # compression: bzip2 + # maxParallel: 4 + # destinationPath: s3://home-ops-postgresql + # endpointURL: https://s3.${STORAGE_DOMAIN} + # # Note: serverName version needs to be inclemented + # # when recovering from an existing cnpg cluster + # serverName: ¤tCluster postgres16-v0 + # s3Credentials: + # accessKeyId: + # name: cloudnative-pg-secret + # key: MINIO_ACCESS_KEY + # secretAccessKey: + # name: cloudnative-pg-secret + # key: MINIO_SECRET_KEY + # Note: previousCluster needs to be set to the name of the previous + # cluster when recovering from an existing cnpg cluster + bootstrap: + initdb: + # # User for onedr0p/postgres-init database inital creation + # owner: postgres-db-manager + # # https://cloudnative-pg.io/documentation/1.19/cloudnative-pg.v1/#postgresql-cnpg-io-v1-BootstrapInitDB + # postInitApplicationSQL: + # # Assign Postgres DB Manager permissions + # # https://www.atlassian.com/data/admin/how-to-change-a-user-to-superuser-in-postgresql + # - ALTER USER postgres-db-manager WITH CREATEDB; + # - ALTER USER postgres-db-manager WITH CREATEROLE; + # Enable PostGIS and TimescaleDB extensions + postInitTemplateSQL: + - CREATE EXTENSION postgis; + - CREATE EXTENSION postgis_topology; + - CREATE EXTENSION fuzzystrmatch; + - CREATE EXTENSION postgis_tiger_geocoder; + - CREATE EXTENSION timescaledb; + - CREATE EXTENSION timescaledb_toolkit; + # secret: + # name: cloudnative-pg-secret + # recovery: + # source: &previousCluster postgres16-v0 + # # Note: externalClusters is needed when recovering from an existing cnpg cluster + # externalClusters: + # - name: *previousCluster + # barmanObjectStore: + # <<: *barmanObjectStore + # serverName: *previousCluster diff --git a/kubernetes/main/apps/database/cloudnative-pg/cluster/imagecatalog.yaml b/kubernetes/main/apps/database/cloudnative-pg/cluster/imagecatalog.yaml new file mode 100644 index 00000000..7e9bb06d --- /dev/null +++ b/kubernetes/main/apps/database/cloudnative-pg/cluster/imagecatalog.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: ImageCatalog +metadata: + name: timescaledb +spec: + images: + - major: 16 + # renovate: datasource=docker + image: ghcr.io/imusmanmalik/timescaledb-postgis:16-3.4-42 diff --git a/kubernetes/main/apps/database/cloudnative-pg/cluster/kustomization.yaml b/kubernetes/main/apps/database/cloudnative-pg/cluster/kustomization.yaml new file mode 100644 index 00000000..2470546d --- /dev/null +++ b/kubernetes/main/apps/database/cloudnative-pg/cluster/kustomization.yaml @@ -0,0 +1,9 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./cluster16.yaml + - ./imagecatalog.yaml + - ./prometheusrule.yaml + - ./scheduledbackup.yaml diff --git a/kubernetes/main/apps/database/cloudnative-pg/cluster/prometheusrule.yaml b/kubernetes/main/apps/database/cloudnative-pg/cluster/prometheusrule.yaml new file mode 100644 index 00000000..9c1d6a8d --- /dev/null +++ b/kubernetes/main/apps/database/cloudnative-pg/cluster/prometheusrule.yaml @@ -0,0 +1,67 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/prometheusrule_v1.json +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: cloudnative-pg-rules + labels: + prometheus: k8s + role: alert-rules +spec: + groups: + - name: cloudnative-pg.rules + rules: + - alert: LongRunningTransaction + annotations: + description: Pod {{ $labels.pod }} is taking more than 5 minutes (300 seconds) for a query. + summary: A query is taking longer than 5 minutes. + expr: |- + cnpg_backends_max_tx_duration_seconds > 300 + for: 1m + labels: + severity: warning + - alert: BackendsWaiting + annotations: + description: Pod {{ $labels.pod }} has been waiting for longer than 5 minutes + summary: If a backend is waiting for longer than 5 minutes + expr: |- + cnpg_backends_waiting_total > 300 + for: 1m + labels: + severity: warning + - alert: PGDatabase + annotations: + description: Over 150,000,000 transactions from frozen xid on pod {{ $labels.pod }} + summary: Number of transactions from the frozen XID to the current one + expr: |- + cnpg_pg_database_xid_age > 150000000 + for: 1m + labels: + severity: warning + - alert: PGReplication + annotations: + description: Standby is lagging behind by over 300 seconds (5 minutes) + summary: The standby is lagging behind the primary + expr: |- + cnpg_pg_replication_lag > 300 + for: 1m + labels: + severity: warning + - alert: LastFailedArchiveTime + annotations: + description: Archiving failed for {{ $labels.pod }} + summary: Checks the last time archiving failed. Will be < 0 when it has not failed. + expr: |- + (cnpg_pg_stat_archiver_last_failed_time - cnpg_pg_stat_archiver_last_archived_time) > 1 + for: 1m + labels: + severity: warning + - alert: DatabaseDeadlockConflicts + annotations: + description: There are over 10 deadlock conflicts in {{ $labels.pod }} + summary: Checks the number of database conflicts + expr: |- + cnpg_pg_stat_database_deadlocks > 10 + for: 1m + labels: + severity: warning diff --git a/kubernetes/main/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml b/kubernetes/main/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml new file mode 100644 index 00000000..f73a74f7 --- /dev/null +++ b/kubernetes/main/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml @@ -0,0 +1,12 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/postgresql.cnpg.io/scheduledbackup_v1.json +apiVersion: postgresql.cnpg.io/v1 +kind: ScheduledBackup +metadata: + name: postgres +spec: + schedule: "@daily" + immediate: true + backupOwnerReference: self + cluster: + name: postgres16 diff --git a/kubernetes/main/apps/database/cloudnative-pg/ks.yaml b/kubernetes/main/apps/database/cloudnative-pg/ks.yaml new file mode 100644 index 00000000..ebc29f69 --- /dev/null +++ b/kubernetes/main/apps/database/cloudnative-pg/ks.yaml @@ -0,0 +1,44 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cloudnative-pg + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/database/cloudnative-pg/app + prune: true + sourceRef: + kind: GitRepository + name: home-ops + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cloudnative-pg-cluster + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: cloudnative-pg + path: ./kubernetes/main/apps/database/cloudnative-pg/cluster + prune: true + sourceRef: + kind: GitRepository + name: home-ops + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/main/apps/database/kustomization.yaml b/kubernetes/main/apps/database/kustomization.yaml new file mode 100644 index 00000000..17c3814f --- /dev/null +++ b/kubernetes/main/apps/database/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./cloudnative-pg/ks.yaml diff --git a/kubernetes/main/apps/database/namespace.yaml b/kubernetes/main/apps/database/namespace.yaml new file mode 100644 index 00000000..5cad2860 --- /dev/null +++ b/kubernetes/main/apps/database/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: database + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/main/apps/security/external-secrets/stores/kustomization.yaml b/kubernetes/main/apps/security/external-secrets/stores/kustomization.yaml index f76ee58a..74781355 100644 --- a/kubernetes/main/apps/security/external-secrets/stores/kustomization.yaml +++ b/kubernetes/main/apps/security/external-secrets/stores/kustomization.yaml @@ -3,4 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ./postgres-secrets - ./volsync-secrets diff --git a/kubernetes/main/apps/security/external-secrets/stores/postgres-secrets/clustersecretstore.yaml b/kubernetes/main/apps/security/external-secrets/stores/postgres-secrets/clustersecretstore.yaml new file mode 100644 index 00000000..097531e5 --- /dev/null +++ b/kubernetes/main/apps/security/external-secrets/stores/postgres-secrets/clustersecretstore.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: postgres-secrets-store +spec: + provider: + kubernetes: + remoteNamespace: database + auth: + serviceAccount: + name: postgres-secrets-manager + namespace: security + server: + caProvider: + type: ConfigMap + name: kube-root-ca.crt + namespace: security + key: ca.crt diff --git a/kubernetes/main/apps/security/external-secrets/stores/postgres-secrets/kustomization.yaml b/kubernetes/main/apps/security/external-secrets/stores/postgres-secrets/kustomization.yaml new file mode 100644 index 00000000..c2a0b8f2 --- /dev/null +++ b/kubernetes/main/apps/security/external-secrets/stores/postgres-secrets/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./clustersecretstore.yaml + - ./serviceaccount.yaml diff --git a/kubernetes/main/apps/security/external-secrets/stores/postgres-secrets/serviceaccount.yaml b/kubernetes/main/apps/security/external-secrets/stores/postgres-secrets/serviceaccount.yaml new file mode 100644 index 00000000..c05d5d6f --- /dev/null +++ b/kubernetes/main/apps/security/external-secrets/stores/postgres-secrets/serviceaccount.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: postgres-secrets-manager diff --git a/kubernetes/main/apps/storage/openebs/app/local-database-sc.yaml b/kubernetes/main/apps/storage/openebs/app/local-database-sc.yaml index 1e7542b9..92adc723 100644 --- a/kubernetes/main/apps/storage/openebs/app/local-database-sc.yaml +++ b/kubernetes/main/apps/storage/openebs/app/local-database-sc.yaml @@ -7,7 +7,8 @@ allowVolumeExpansion: true parameters: fstype: zfs poolname: zroot/srv/database - recordsize: 16k + # zfs set atime=off zroot/srv/database + recordsize: 32k compresion: lz4 dedup: off thinprovision: yes diff --git a/kubernetes/main/flux/repositories/helm/cloudnative-pg.yaml b/kubernetes/main/flux/repositories/helm/cloudnative-pg.yaml new file mode 100644 index 00000000..a7c9027b --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/cloudnative-pg.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: cloudnative-pg + namespace: flux-system +spec: + interval: 1h + url: https://cloudnative-pg.github.io/charts diff --git a/kubernetes/main/flux/repositories/helm/kustomization.yaml b/kubernetes/main/flux/repositories/helm/kustomization.yaml index 042998cf..0c1b185b 100644 --- a/kubernetes/main/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/main/flux/repositories/helm/kustomization.yaml @@ -5,6 +5,7 @@ resources: - ./backube.yaml - ./bjw-s.yaml - ./cilium.yaml + - ./cloudnative-pg.yaml - ./descheduler.yaml - ./external-dns.yaml - ./external-secrets.yaml diff --git a/kubernetes/storage/apps/storage/openebs/app/local-database-sc.yaml b/kubernetes/storage/apps/storage/openebs/app/local-database-sc.yaml index 1e7542b9..af1e7e9a 100644 --- a/kubernetes/storage/apps/storage/openebs/app/local-database-sc.yaml +++ b/kubernetes/storage/apps/storage/openebs/app/local-database-sc.yaml @@ -7,7 +7,7 @@ allowVolumeExpansion: true parameters: fstype: zfs poolname: zroot/srv/database - recordsize: 16k + recordsize: 32k compresion: lz4 dedup: off thinprovision: yes