Merge pull request #522 from 3dwardch3ng/infra/postgresql

Infra/postgresql

infrastructures/postgresql/env/k3s-cluster/config.json

@@ -0,0 +1,12 @@
+{
+  "appName": "postgresql",
+  "userGivenName": "postgresql",
+  "namespace": "postgresql",
+  "destNamespace": "postgresql",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "infrastructure/postgresql/env/k3s-cluster",
+  "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": null
+}

infrastructures/postgresql/env/k3s-cluster/ingress.yaml

@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: postgresql-ingress
+  namespace: postgresql
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "postgres.cluster.local"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: postgresql-primary
+                port:
+                  number: 5432
+    - host: "replica.postgres.cluster.local"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: postgresql-replica
+                port:
+                  number: 5432

infrastructures/postgresql/env/k3s-cluster/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./volume.yaml
+  - ./ingress.yaml
+helmCharts:
+  - name: postgresql
+    repo: oci://registry-1.docker.io/bitnamicharts
+    version: 15.5.17
+    releaseName: postgresql
+    valuesFile: values.yaml

infrastructures/postgresql/env/k3s-cluster/values.yaml

@@ -0,0 +1,80 @@
+auth:
+  postgresPassword:
+    valueFrom:
+      secretKeyRef:
+        name: postgresql-secrets
+        key: postgres_password
+  username:
+    valueFrom:
+      secretKeyRef:
+        name: postgresql-secrets
+        key: username
+  password:
+    valueFrom:
+      secretKeyRef:
+        name: postgresql-secrets
+        key: password
+  database:
+    valueFrom:
+      secretKeyRef:
+        name: postgresql-secrets
+        key: database
+  replicationPassword:
+    valueFrom:
+      secretKeyRef:
+        name: postgresql-secrets
+        key: replication_password
+architecture: "replication"
+replication:
+  synchronousCommit: "on"
+  numSynchronousReplicas: 1
+  applicationName: "postgres_repl"
+primary:
+  podSecurityContext:
+    fsGroup: 1000
+  containerSecurityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+  podLabels:
+    name: "postgresql-primary"
+  service:
+    type: "LoadBalancer"
+  persistence:
+    existingClaim: postgresql-primary-pvc
+    selector:
+      matchLabels:
+        name: postgresql-primary-pvc
+  extraVolumes:
+    - name: "postgresql-secrets"
+      secret:
+        secretName: postgresql-secrets
+  extraVolumeMounts:
+    - name: "postgresql-secrets"
+      mountPath: "/secrets/postgresql"
+      readOnly: true
+readReplicas:
+  name: "replica"
+  podSecurityContext:
+    fsGroup: 1000
+  containerSecurityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+  podLabels:
+    name: "postgresql-replica"
+  service:
+    type: "LoadBalancer"
+    ports:
+      postgresql: 5433
+  persistence:
+    existingClaim: postgresql-replica-pvc
+    selector:
+      matchLabels:
+        name: postgresql-replica-pvc
+  extraVolumes:
+    - name: "postgresql-secrets"
+      secret:
+        secretName: postgresql-secrets
+  extraVolumeMounts:
+    - name: "postgresql-secrets"
+      mountPath: "/secrets/postgresql"
+      readOnly: true

infrastructures/postgresql/env/k3s-cluster/volume.yaml

@@ -0,0 +1,93 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: postgresql-primary-pv
+  namespace: postgresql
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 8Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/postgresql/primary"
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: postgresql-primary-pvc
+    namespace: postgresql
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-2
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgresql-primary-pvc
+  namespace: postgresql
+  labels:
+    name: postgresql-primary-pvc
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 8Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: postgresql-replica-pv
+  namespace: flux-system
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 8Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/postgresql/replica"
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: postgresql-replica-pvc
+    namespace: postgresql
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-2
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgresql-replica-pvc
+  namespace: postgresql
+  labels:
+    name: postgresql-replica-pvc
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 8Gi

scripts/encrypt-file-by-kubeseal.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/bash
+set -e
+
+filePath=$1
+
+kubeseal --format=yaml --scope cluster-wide -n argocd --controller-name sealed-secrets --controller-namespace argocd < $filePath > $filePath
+