diff --git a/openshift/crunchydb/README.md b/openshift/crunchydb/README.md new file mode 100644 index 000000000..1859551ca --- /dev/null +++ b/openshift/crunchydb/README.md @@ -0,0 +1,19 @@ +# CrunchyDB + +CHEFS uses CrunchyDB for all of its highly available databases. CrunchyDB uses +Patroni for replication and failovers, and Patroni uses PostgreSQL as the +underlying database. + +## Installation + +The CrunchyDB installations use the +[Helm charts](https://github.com/bcgov/crunchy-postgres) provided by the fine +folks over at platform services. Huge thanks go to that team for doing the hard +work of figuring out the CrunchyDB setup and making it easier for the community +to use CrunchyDB. + +The `charts` directory has been copied here so that changes to the upstream repo +don't unexpectedly change our deployments. This stability and consistency comes +at the cost of added maintenance effort to stay in sync. + +This code is current to commit `91d32cb` in December 2024. diff --git a/openshift/crunchydb/charts/crunchy-postgres/.helmignore b/openshift/crunchydb/charts/crunchy-postgres/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/openshift/crunchydb/charts/crunchy-postgres/Chart.yaml b/openshift/crunchydb/charts/crunchy-postgres/Chart.yaml new file mode 100644 index 000000000..80c889da4 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/Chart.yaml @@ -0,0 +1,26 @@ +apiVersion: v2 +name: crunchy-postgres +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.6.3 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. + +# Crunchy Postgres Operator version +appVersion: "5.0.4" diff --git a/openshift/crunchydb/charts/crunchy-postgres/README.md b/openshift/crunchydb/charts/crunchy-postgres/README.md new file mode 100644 index 000000000..aee58b659 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/README.md @@ -0,0 +1,131 @@ +# Crunchy Postgres chart + +A chart to provision a [Crunchy Postgres](https://www.crunchydata.com/) cluster. + +## Configuration + +### Crunchy Options + +| Parameter | Description | Default | +| ------------------ | ---------------------- | ------------------ | +| `fullnameOverride` | Override release name | `crunchy-postgres` | +| `crunchyImage` | Crunchy Postgres image | | +| `postgresVersion` | Postgres version | `14` | + +--- + +### Instances + +| Parameter | Description | Default | +| ------------------------------------------- | ------------------------------ | ------------------------ | +| `instances.name` | Instance name | `ha` (high availability) | +| `instances.replicas` | Number of replicas | `2` | +| `instances.dataVolumeClaimSpec.storage` | Amount of storage for each PVC | `480Mi` | +| `instances.requests.cpu` | CPU requests | `1m` | +| `instances.requests.memory` | Memory requests | `256Mi` | +| `instances.limits.cpu` | CPU limits | `100m` | +| `instances.limits.memory` | Memory limits | `512Mi` | +| `instances.replicaCertCopy.requests.cpu` | replicaCertCopy CPU requests | `1m` | +| `instances.replicaCertCopy.requests.memory` | replicaCertCopyMemory requests | `32Mi` | +| `instances.replicaCertCopy.limits.cpu` | replicaCertCopyCPU limits | `50m` | +| `instances.replicaCertCopy.limits.memory` | replicaCertCopy Memory limits | `64Mi` | + +--- + +### pgBackRest - Reliable PostgreSQL Backup & Restore + +[pgBackRest site](https://pgbackrest.org/) +[Crunchy pgBackRest docs](https://access.crunchydata.com/documentation/pgbackrest/latest/) + +| Parameter | Description | Default | +| ---------------------------------------------------- | ------------------------------------------------------------- | ---------------------- | +| `pgBackRest.image` | Crunchy pgBackRest | | +| `pgBackRest.retention` | Number of backups/days to keep depending on retentionFullType | `2` | +| `pgBackRest.retentionFullType` | Either 'count' or 'time' | `count` | +| `pgBackRest.repos.schedules.full` | Full backup schedule | `0 8 * * *` | +| `pgBackRest.repos.schedules.incremental` | Incremental backup schedule | `0 0,4,12,16,20 * * *` | +| `pgBackRest.repos.schedules.volume.addessModes` | Access modes | `ReadWriteOnce` | +| `pgBackRest.repos.schedules.volume.storage` | Access modes | `64Mi` | +| `pgBackRest.repos.schedules.volume.storageClassName` | Storage class name modes | `netapp-file-backup` | +| `pgBackRest.repoHost.requests.cpu` | CPU requests | `1m` | +| `pgBackRest.repoHost.requests.memory` | Memory requests | `64Mi` | +| `pgBackRest.repoHost.limits.cpu` | CPU limits | `50m` | +| `pgBackRest.repoHost.limits.memory` | Memory limits | `128Mi` | +| `pgBackRest.sidecars.requests.cpu` | sidecars CPU requests | `1m` | +| `pgBackRest.sidecars.requests.memory` | sidecars Memory requests | `64Mi` | +| `pgBackRest.sidecars.limits.cpu` | sidecars CPU limits | `50m` | +| `pgBackRest.sidecars.limits.memory` | sidecars Memory limits | `128Mi` | +| `pgBackRest.s3.enabled` | Enables the s3 repo backups | `false` | +| `pgBackRest.s3.createS3Secret` | Creates the s3 secret based on key and keySecret | `true` | +| `pgBackRest.s3.s3Secret` | The secret name to be created or read from | `s3-pgbackrest` | +| `pgBackRest.s3.s3Path` | The path inside the bucket where the backups will be saved to, set it to `/` to use the root of the bucket. | `/dbbackup` | +| `pgBackRest.s3.s3UriStyle` | Style of URL to use for S3 communication. [More Info](https://pgbackrest.org/configuration.html#section-repository/option-repo-s3-uri-style) | `path` | +| `pgBackRest.s3.bucket` | The bucket to use for backups | `bucketName` | +| `pgBackRest.s3.endpoint` | The endpoint to use, for example s3.ca-central-1.amazonaws.com | `endpointName` | +| `pgBackRest.s3.region` | The region to use, not necessary if your S3 system does not specify one | `ca-central-1` | +| `pgBackRest.s3.key` | The key to use to access the bucket. MUST BE KEPT SECRET | `s3KeyValue` | +| `pgBackRest.s3.keySecret` | The key secret for the key set above. MUST BE KEPT SECRET | `s3SecretValue` | +--- + +### Patroni + +[Patroni docs](https://patroni.readthedocs.io/en/latest/) +[Crunchy Patroni docs](https://access.crunchydata.com/documentation/patroni/latest/) + +| Parameter | Description | Default | +| ------------------------------------------- | ------------------------------------------------------------------- | --------------------------------- | +| `patroni.postgresql.pg_hba` | pg_hba permissions | `"host all all 0.0.0.0/0 md5"` | +| `crunchyImage` | Crunchy Postgres image | `...crunchy-postgres:ubi8-14.7-0` | +| `patroni.parameters.shared_buffers` | The number of shared memory buffers used by the server | `16MB` | +| `patroni.parameters.wal_buffers` | The number of disk-page buffers in shared memory for WAL | `64KB` | +| `patroni.parameters.min_wal_size` | The minimum size to shrink the WAL to | `32MB` | +| `patroni.parameters.max_wal_size` | Sets the WAL size that triggers a checkpoint | `64MB` | +| `patroni.parameters.max_slot_wal_keep_size` | Sets the maximum WAL size that can be reserved by replication slots | `128MB` | + +--- + +### pgBouncer + +A lightweight connection pooler for PostgreSQL + +[pgBouncer site](https://www.pgbouncer.org/) +[Crunchy Postgres pgBouncer docs](https://access.crunchydata.com/documentation/pgbouncer/latest/) + +| Parameter | Description | Default | +| --------------------------------- | ----------------------- | ------- | +| `proxy.pgBouncer.image` | Crunchy pgBouncer image | | +| `proxy.pgBouncer.replicas` | Number of replicas | `2` | +| `proxy.pgBouncer.requests.cpu` | CPU requests | `1m` | +| `proxy.pgBouncer.requests.memory` | Memory requests | `64Mi` | +| `proxy.pgBouncer.limits.cpu` | CPU limits | `50m` | +| `proxy.pgBouncer.limits.memory` | Memory limits | `128Mi` | + +--- + +## PG Monitor + +[Crunchy Postgres PG Monitor docs](https://access.crunchydata.com/documentation/pgmonitor/latest/) + +| Parameter | Description | Default | +| ------------------------------------ | ---------------------------------------------- | ------- | +| `pgmonitor.enabled` | Enable PG Monitor (currently only PG exporter) | `false` | +| `pgmonitor.exporter.requests.cpu` | PG Monitor CPU requests | `1m` | +| `pgmonitor.exporter.requests.memory` | PG Monitor Memory requests | `64Mi` | +| `pgmonitor.exporter.limits.cpu` | PG Monitor CPU limits | `50m` | +| `pgmonitor.exporter.limits.memory` | PG Monitor Memory limits | `128Mi` | + +#### Postgres Exporter + +A [Prometheus](https://prometheus.io/) exporter for PostgreSQL + +[Postgres Exporter](https://github.com/prometheus-community/postgres_exporter) + +| Parameter | Description | Default | +| ------------------------------------ | ------------------------- | ------- | +| `pgmonitor.exporter.image` | Crunchy PG Exporter image | | +| `pgmonitor.exporter.requests.cpu` | CPU requests | `1m` | +| `pgmonitor.exporter.requests.memory` | Memory requests | `64Mi` | +| `pgmonitor.exporter.limits.cpu` | CPU limits | `50m` | +| `pgmonitor.exporterr.limits.memory` | Memory limits | `128Mi` | + +--- diff --git a/openshift/crunchydb/charts/crunchy-postgres/templates/PostgresCluster.yaml b/openshift/crunchydb/charts/crunchy-postgres/templates/PostgresCluster.yaml new file mode 100644 index 000000000..e2b31d172 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/templates/PostgresCluster.yaml @@ -0,0 +1,217 @@ +apiVersion: postgres-operator.crunchydata.com/v1beta1 +kind: PostgresCluster +metadata: + name: {{ template "crunchy-postgres.fullname" . }} + labels: {{ include "crunchy-postgres.labels" . | nindent 4 }} +spec: + metadata: + labels: {{ include "crunchy-postgres.labels" . | nindent 6 }} + {{ if .Values.crunchyImage }} + image: {{ .Values.crunchyImage }} + {{ end }} + imagePullPolicy: {{.Values.imagePullPolicy}} + postgresVersion: {{ .Values.postgresVersion }} + {{ if .Values.postGISVersion }} + postGISVersion: {{ .Values.postGISVersion | quote }} + {{ end }} + postgresVersion: {{ .Values.postgresVersion }} + + {{ if .Values.pgmonitor.enabled }} + + monitoring: + pgmonitor: + # this stuff is for the "exporter" container in the "postgres-cluster-ha" set of pods + exporter: + {{ if .Values.pgmonitor.exporter.image}} + image: {{ .Values.pgmonitor.exporter.image}} + {{ end }} + resources: + requests: + cpu: {{ .Values.pgmonitor.exporter.requests.cpu }} + memory: {{ .Values.pgmonitor.exporter.requests.memory }} + limits: + cpu: {{ .Values.pgmonitor.exporter.limits.cpu }} + memory: {{ .Values.pgmonitor.exporter.limits.memory }} + + {{ end }} + + instances: + - name: {{ .Values.instances.name }} + replicas: {{ .Values.instances.replicas }} + resources: + requests: + cpu: {{ .Values.instances.requests.cpu }} + memory: {{ .Values.instances.requests.memory }} + limits: + cpu: {{ .Values.instances.limits.cpu }} + memory: {{ .Values.instances.limits.memory }} + sidecars: + replicaCertCopy: + resources: + requests: + cpu: {{ .Values.instances.replicaCertCopy.requests.cpu }} + memory: {{ .Values.instances.replicaCertCopy.requests.memory }} + limits: + cpu: {{ .Values.instances.replicaCertCopy.limits.cpu }} + memory: {{ .Values.instances.replicaCertCopy.limits.memory }} + dataVolumeClaimSpec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: {{ .Values.instances.dataVolumeClaimSpec.storage }} + storageClassName: {{ .Values.instances.dataVolumeClaimSpec.storageClassName }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: topology.kubernetes.io/zone + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: + {{ template "crunchy-postgres.fullname" . }} + postgres-operator.crunchydata.com/instance-set: {{ .Values.instances.name }}-ha + + users: + - name: {{ template "crunchy-postgres.fullname" . }} + databases: + - {{ template "crunchy-postgres.fullname" . }} + options: "CREATEROLE" + - name: postgres + databases: + - {{ template "crunchy-postgres.fullname" . }} + + {{ if .Values.dataSource.enabled }} + dataSource: + pgbackrest: + configuration: + - secret: + name: {{ .Values.dataSource.secretName }} + global: + repo2-path: {{ .Values.dataSource.repo.path }} + repo: + name: {{ .Values.dataSource.repo.name }} + s3: + bucket: {{ .Values.dataSource.repo.s3.bucket }} + endpoint: {{ .Values.dataSource.repo.s3.endpoint }} + region: {{ .Values.dataSource.repo.s3.region }} + stanza: {{ .Values.dataSource.stanza }} + {{ end }} + + backups: + pgbackrest: + {{ if .Values.pgBackRest.image }} + image: {{ .Values.pgBackRest.image }} + {{ end }} + {{- if .Values.pgBackRest.s3.enabled }} + configuration: + - secret: + name: {{ .Values.pgBackRest.s3.s3Secret }} + {{- end }} + global: + # Support both PVC and s3 backups + repo1-retention-full: {{ .Values.pgBackRest.retention | quote }} + repo1-retention-full-type: {{ .Values.pgBackRest.retentionFullType }} + {{- if .Values.pgBackRest.s3.enabled }} + repo2-retention-full: {{ .Values.pgBackRest.retention | quote }} + repo2-retention-full-type: {{ .Values.pgBackRest.retentionFullType }} + repo2-path: {{ .Values.pgBackRest.s3.s3Path }} + repo2-s3-uri-style: {{ .Values.pgBackRest.s3.s3UriStyle }} + {{- end }} + repos: + # hardcoding repo1 until we solution allowing multiple repos + - name: repo1 + schedules: + full: {{ .Values.pgBackRest.repos.schedules.full }} + incremental: {{ .Values.pgBackRest.repos.schedules.incremental }} + volume: + volumeClaimSpec: + accessModes: + - {{ .Values.pgBackRest.repos.volume.accessModes }} + resources: + requests: + storage: {{ .Values.pgBackRest.repos.volume.storage }} + storageClassName: {{ .Values.pgBackRest.repos.volume.storageClassName }} + {{- if .Values.pgBackRest.s3.enabled }} + - name: repo2 + schedules: + full: {{ if .Values.pgBackRest.s3.fullSchedule }}{{ .Values.pgBackRest.s3.fullSchedule }}{{ else }}{{ .Values.pgBackRest.repos.schedules.full }}{{ end }} + incremental: {{ if .Values.pgBackRest.s3.incrementalSchedule }}{{ .Values.pgBackRest.s3.incrementalSchedule }}{{ else }}{{ .Values.pgBackRest.repos.schedules.incremental }}{{ end }} + s3: + bucket: {{ .Values.pgBackRest.s3.bucket }} + endpoint: {{ .Values.pgBackRest.s3.endpoint }} + region: {{ .Values.pgBackRest.s3.region }} + {{- end }} + # this stuff is for the "pgbackrest" container (the only non-init container) in the "postgres-crunchy-repo-host" pod + repoHost: + resources: + requests: + cpu: {{ .Values.pgBackRest.repoHost.requests.cpu }} + memory: {{ .Values.pgBackRest.repoHost.requests.memory }} + limits: + cpu: {{ .Values.pgBackRest.repoHost.limits.cpu }} + memory: {{ .Values.pgBackRest.repoHost.limits.memory }} + sidecars: + # this stuff is for the "pgbackrest" container in the "postgres-crunchy-ha" set of pods + pgbackrest: + resources: + requests: + cpu: {{ .Values.pgBackRest.sidecars.requests.cpu }} + memory: {{ .Values.pgBackRest.sidecars.requests.memory }} + limits: + cpu: {{ .Values.pgBackRest.sidecars.limits.cpu }} + memory: {{ .Values.pgBackRest.sidecars.limits.memory }} + pgbackrestConfig: + resources: + requests: + cpu: {{ .Values.pgBackRest.sidecars.requests.cpu }} + memory: {{ .Values.pgBackRest.sidecars.requests.memory }} + limits: + cpu: {{ .Values.pgBackRest.sidecars.limits.cpu }} + memory: {{ .Values.pgBackRest.sidecars.limits.memory }} + standby: + enabled: {{ .Values.standby.enabled }} + repoName: {{ .Values.standby.repoName }} + + patroni: + dynamicConfiguration: + postgresql: + pg_hba: + - {{ .Values.patroni.postgresql.pg_hba}} + parameters: + shared_buffers: {{ .Values.patroni.postgresql.parameters.shared_buffers }} + wal_buffers: {{ .Values.patroni.postgresql.parameters.wal_buffers }} + min_wal_size: {{ .Values.patroni.postgresql.parameters.min_wal_size }} + max_wal_size: {{ .Values.patroni.postgresql.parameters.max_wal_size }} + max_slot_wal_keep_size: {{ .Values.patroni.postgresql.parameters.max_slot_wal_keep_size }} + + proxy: + pgBouncer: + config: + global: + client_tls_sslmode: disable + {{ if .Values.proxy.pgBouncer.image }} + image: {{ .Values.proxy.pgBouncer.image }} + {{ end }} + replicas: {{ .Values.proxy.pgBouncer.replicas }} + # these resources are for the "pgbouncer" container in the "postgres-crunchy-ha-pgbouncer" set of pods + # there is a sidecar in these pods which are not mentioned here, but the requests/limits are teeny weeny by default so no worries there. + resources: + requests: + cpu: {{ .Values.proxy.pgBouncer.requests.cpu }} + memory: {{ .Values.proxy.pgBouncer.requests.memory }} + limits: + cpu: {{ .Values.proxy.pgBouncer.limits.cpu }} + memory: {{ .Values.proxy.pgBouncer.limits.memory }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: topology.kubernetes.io/zone + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: + {{ .Values.instances.name }} + postgres-operator.crunchydata.com/role: pgbouncer diff --git a/openshift/crunchydb/charts/crunchy-postgres/templates/_helpers.tpl b/openshift/crunchydb/charts/crunchy-postgres/templates/_helpers.tpl new file mode 100644 index 000000000..584e9ad6c --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "crunchy-postgres.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "crunchy-postgres.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "crunchy-postgres.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "crunchy-postgres.labels" -}} +helm.sh/chart: {{ include "crunchy-postgres.chart" . }} +{{ include "crunchy-postgres.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "crunchy-postgres.selectorLabels" -}} +app.kubernetes.io/name: {{ include "crunchy-postgres.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "crunchy-postgres.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "crunchy-postgres.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/openshift/crunchydb/charts/crunchy-postgres/templates/_s3.tpl b/openshift/crunchydb/charts/crunchy-postgres/templates/_s3.tpl new file mode 100644 index 000000000..9f71811f7 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/templates/_s3.tpl @@ -0,0 +1,18 @@ +{{/* Allow for S3 secret information to be stored in a Secret */}} +{{- define "postgres.s3" }} +[global] +{{- if .s3 }} + {{- if .s3.key }} +repo{{ add .index 1 }}-s3-key={{ .s3.key }} + {{- end }} + {{- if .s3.keySecret }} +repo{{ add .index 1 }}-s3-key-secret={{ .s3.keySecret }} + {{- end }} + {{- if .s3.keyType }} +repo{{ add .index 1 }}-s3-key-type={{ .s3.keyType }} + {{- end }} + {{- if .s3.encryptionPassphrase }} +repo{{ add .index 1 }}-cipher-pass={{ .s3.encryptionPassphrase }} + {{- end }} +{{- end }} +{{ end }} \ No newline at end of file diff --git a/openshift/crunchydb/charts/crunchy-postgres/templates/s3Secret.yaml b/openshift/crunchydb/charts/crunchy-postgres/templates/s3Secret.yaml new file mode 100644 index 000000000..5c1aef224 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/templates/s3Secret.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.pgBackRest.s3.enabled .Values.pgBackRest.s3.createS3Secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.pgBackRest.s3.s3Secret }} +type: Opaque +data: + {{- $args := dict "s3" .Values.pgBackRest.s3 "index" 1 }} + s3.conf: |- + {{ include "postgres.s3" $args | b64enc }} +{{- end }} \ No newline at end of file diff --git a/openshift/crunchydb/charts/crunchy-postgres/values.yaml b/openshift/crunchydb/charts/crunchy-postgres/values.yaml new file mode 100644 index 000000000..6959ac570 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/values.yaml @@ -0,0 +1,136 @@ +fullnameOverride: crunchy-postgres + +crunchyImage: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default +#crunchyImage: artifacts.developer.gov.bc.ca/bcgov-docker-local/crunchy-postgres-gis:ubi8-15.2-3.3-0 # use this image for POSTGIS +postgresVersion: 15 +#postGISVersion: '3.3' # use this version of POSTGIS. both crunchyImage and this property needs to have valid values for POSTGIS to be enabled. +imagePullPolicy: IfNotPresent + +# enable to bootstrap a standby cluster from backup. Then disable to promote this standby to primary +standby: + enabled: false + # If you want to recover from PVC, use repo1. If you want to recover from S3, use repo2 + repoName: repo2 + +instances: + name: ha # high availability + replicas: 2 + dataVolumeClaimSpec: + storage: 480Mi + storageClassName: netapp-block-standard + requests: + cpu: 1m + memory: 256Mi + limits: + cpu: 100m + memory: 512Mi + replicaCertCopy: + requests: + cpu: 1m + memory: 32Mi + limits: + cpu: 50m + memory: 64Mi + +# If we need to restore the cluster from a backup, we need to set the following values +# assuming restore from repo2 (s3), adjust as needed if your S3 repo is different +dataSource: + enabled: false + # should have the same name and contain the same keys as the pgbackrest secret + secretName: s3-pgbackrest + repo: + name: repo2 + path: "/habackup" + s3: + bucket: "bucketName" + endpoint: "s3.ca-central-1.amazonaws.com" + region: "ca-central-1" + stanza: db + +pgBackRest: + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + retention: "2" # Ideally a larger number such as 30 backups/days + # If retention-full-type set to 'count' then the oldest backups will expire when the number of backups reach the number defined in retention + # If retention-full-type set to 'time' then the number defined in retention will take that many days worth of full backups before expiration + retentionFullType: count + repos: + schedules: + full: 0 8 * * * + incremental: 0 0,4,12,16,20 * * * + volume: + accessModes: "ReadWriteOnce" + storage: 64Mi + storageClassName: netapp-file-backup + repoHost: + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + sidecars: + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + s3: + enabled: false + createS3Secret: true + # the s3 secret name + s3Secret: s3-pgbackrest + # the path start with /, it will be created under bucket if it doesn't exist + s3Path: "/habackup" + # s3UriStyle is host or path + s3UriStyle: path + # bucket specifies the S3 bucket to use, + bucket: "bucketName" + # endpoint specifies the S3 endpoint to use. + endpoint: "endpointName" + # region specifies the S3 region to use. If your S3 storage system does not + # use "region", fill this in with a random value. + region: "ca-central-1" + # key is the S3 key. This is stored in a Secret. + # Please DO NOT push this value to GitHub + key: "s3keyValue" + # keySecret is the S3 key secret. This is stored in a Secret. + # Please DO NOT push this value to GitHub + keySecret: "s3SecretValue" + # setting the below to be one plus of the default schedule + # to avoid conflicts + fullSchedule: "0 9 * * *" + incrementalSchedule: "0 1,5,13,17,21 * * *" + +patroni: + postgresql: + pg_hba: "host all all 0.0.0.0/0 md5" + parameters: + shared_buffers: 16MB # default is 128MB; a good tuned default for shared_buffers is 25% of the memory allocated to the pod + wal_buffers: "64kB" # this can be set to -1 to automatically set as 1/32 of shared_buffers or 64kB, whichever is larger + min_wal_size: 32MB + max_wal_size: 64MB # default is 1GB + max_slot_wal_keep_size: 128MB # default is -1, allowing unlimited wal growth when replicas fall behind + +proxy: + pgBouncer: + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + replicas: 2 + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + +# Postgres Cluster resource values: +pgmonitor: + enabled: false + exporter: + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi diff --git a/openshift/crunchydb/charts/tools/.helmignore b/openshift/crunchydb/charts/tools/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/openshift/crunchydb/charts/tools/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/openshift/crunchydb/charts/tools/Chart.yaml b/openshift/crunchydb/charts/tools/Chart.yaml new file mode 100644 index 000000000..fb0e3cfc2 --- /dev/null +++ b/openshift/crunchydb/charts/tools/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: crunchy-postgres-tools +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.3.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.1.0" diff --git a/openshift/crunchydb/charts/tools/README.md b/openshift/crunchydb/charts/tools/README.md new file mode 100644 index 000000000..efc8191f5 --- /dev/null +++ b/openshift/crunchydb/charts/tools/README.md @@ -0,0 +1,80 @@ +# Crunchy Postgres Tools chart + +A chart to provision service accounts and networking templates to our namespaces. + +This chart is meant to be deployed in all namespaces while using the `provisioner.namespace` value to conditionally deploy services in the correct namespaces. + +## Included templates: + +### Service accounts: + +#### Deployer + +A service account to be used to login to OpenShift and deploy your application in CI. This is deployed in all namespaces except for the tools/provisioner namespace. + +| Parameter | Description | Default | +| --------------------------------- | ----------------------------------- | ------- | +| `deployer.serviceAccount.enabled` | Enable the deployer service account | `true` | + +--- + +#### Provisioner + +A service account which is deployed to the tools namespace but the roles and rolebindings are deployed to all namespaces, giving the service account permissions to provision tools to all of the namespaces from the tools namespace. + +| Parameter | Description | Default | +| -------------------------------- | ----------------------------------------- | ------- | +| `deployer.provisioner.enabled` | Enable the provisioner service account | `true` | +| `deployer.provisioner.namespace` | The namespace the provisioner will run in | `true` | + +--- + +#### Linter + +A service account deployed to the /tools namespace and used to login to OpenShift and verify Helm templates. + +| Parameter | Description | Default | +| ------------------------- | --------------------------------- | ------- | +| `deployer.linter.enabled` | Enable the linter service account | `true` | + +--- + +### Networking + +#### Namespace ingress network policy + +Network policy to allow traffic from outside the namespace (like the internet) to access our pods + +| Parameter | Description | Default | +| ---------------------------------- | --------------------------------- | ------- | +| `networking.networkPolicy.enabled` | Enable the ingress network policy | `true` | + +--- + +#### Pod ingress network policy + +Pod network policy to allow pods to accept traffic from other pods in this namespace + +| Parameter | Description | Default | +| ------------------------------------- | ------------------------------------- | ------- | +| `networking.podNetworkPolicy.enabled` | Enable the pod ingress network policy | `true` | + +--- + +#### Route + +OpenShift route whitch allows you to host your application at a public URL. + +| Parameter | Description | Default | +| -------------------------- | -------------------------- | ------- | +| `networking.route.enabled` | Enable the OpenShift route | `true` | +| `networking.route.host` | The OpenShift route host | | + +--- + +## Name overrides + +| Parameter | Description | Default | +| ------------------ | ------------------------------------------ | ------------------------ | +| `fullnameOverride` | Override release name | `crunchy-postgres-tools` | +| `deploymentName` | The name of your dev/test/prod deployments | `crunchy-postgres` | diff --git a/openshift/crunchydb/charts/tools/templates/_helpers.tpl b/openshift/crunchydb/charts/tools/templates/_helpers.tpl new file mode 100644 index 000000000..012711fdc --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "crunchy-postgres-tools.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "crunchy-postgres-tools.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "crunchy-postgres-tools.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "crunchy-postgres-tools.labels" -}} +helm.sh/chart: {{ include "crunchy-postgres-tools.chart" . }} +{{ include "crunchy-postgres-tools.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "crunchy-postgres-tools.selectorLabels" -}} +app.kubernetes.io/name: {{ include "crunchy-postgres-tools.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "crunchy-postgres-tools.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "crunchy-postgres-tools.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/openshift/crunchydb/charts/tools/templates/deployer/deployerRole.yaml b/openshift/crunchydb/charts/tools/templates/deployer/deployerRole.yaml new file mode 100644 index 000000000..4acd4289c --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/deployer/deployerRole.yaml @@ -0,0 +1,217 @@ +{{ if and .Values.deployer.serviceAccount.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +apiVersion: authorization.openshift.io/v1 +kind: Role +metadata: + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} + annotations: + openshift.io/description: A user who can deploy applications + openshift.io/reconcile-protect: "false" + name: {{ or .Values.deploymentName .Release.Name }}-deployer +rules: + - apiGroups: + - image.openshift.io + resources: + - imagestreamimages + - imagestreammappings + - imagestreams + - imagestreamtags + verbs: + - get + - list + - watch + - update + - apiGroups: + - image.openshift.io + resources: + - imagestreamtags + verbs: + - delete + - apiGroups: + - project.openshift.io + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - replicationcontrollers + - persistentvolumeclaims + - services + - secrets + - configmaps + - endpoints + - pods + - pods/exec + verbs: + - watch + - list + - get + - create + - update + - patch + - delete + - deletecollection + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods/status + - pods/log + verbs: + - watch + - list + - get + - apiGroups: + - apps.openshift.io + attributeRestrictions: null + resources: + - deploymentconfigs + verbs: + - get + - create + - update + - patch + - apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets + verbs: + - get + - create + - delete + - update + - patch + - apiGroups: + - route.openshift.io + attributeRestrictions: null + resources: + - routes + verbs: + - list + - get + - create + - update + - patch + - delete + - apiGroups: + - template.openshift.io + attributeRestrictions: null + resources: + - processedtemplates + verbs: + - create + - apiGroups: + - route.openshift.io + - "" + attributeRestrictions: null + resources: + - routes/custom-host + verbs: + - create + - apiGroups: + - batch + attributeRestrictions: null + resources: + - jobs + - cronjobs + verbs: + - get + - create + - update + - patch + - delete + - watch + - list + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - "rbac.authorization.k8s.io" + - "authorization.openshift.io" + resources: + - roles + - rolebindings + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - extensions + - apps + resources: + - deployments + - replicasets + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - list + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - postgres-operator.crunchydata.com + resources: + - postgresclusters + verbs: + - get + - create + - update + - patch + - delete +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/deployer/deployerRoleBinding.yaml b/openshift/crunchydb/charts/tools/templates/deployer/deployerRoleBinding.yaml new file mode 100644 index 000000000..b5d26099f --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/deployer/deployerRoleBinding.yaml @@ -0,0 +1,18 @@ +{{ if and .Values.deployer.serviceAccount.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ or .Values.deploymentName .Release.Name }}-deployer + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ or .Values.deploymentName .Release.Name }}-deployer +subjects: + - kind: ServiceAccount + name: {{ or .Values.deploymentName .Release.Name }}-deployer + namespace: {{ .Release.namespace }} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/deployer/deployerServiceAccount.yaml b/openshift/crunchydb/charts/tools/templates/deployer/deployerServiceAccount.yaml new file mode 100644 index 000000000..b2df66067 --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/deployer/deployerServiceAccount.yaml @@ -0,0 +1,11 @@ +{{ if and .Values.deployer.serviceAccount.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ or .Values.deploymentName .Release.Name }}-deployer + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} + namespace: {{ .Release.namespace }} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/linter/linterRole.yaml b/openshift/crunchydb/charts/tools/templates/linter/linterRole.yaml new file mode 100644 index 000000000..480e2c27d --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/linter/linterRole.yaml @@ -0,0 +1,497 @@ +{{- if and (.Values.linter.serviceAccount.enabled) (eq .Release.Namespace .Values.provisioner.namespace) }} + +apiVersion: authorization.openshift.io/v1 +kind: Role +metadata: + labels: {{ include "crunchy-postgres-tools.labels" . | nindent 4}} + annotations: + openshift.io/description: A user who can view but not edit any resources within + the project. They can not view secrets or membership. + openshift.io/reconcile-protect: "false" + name: {{ .Release.Name }}-linter +rules: +- apiGroups: + - "" + attributeRestrictions: null + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - projects + - pods + - replicationcontrollers + - replicationcontrollers/scale + - serviceaccounts + - services + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + - deployments + - deployments/scale + - replicasets + - replicasets/scale + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: + - autoscaling + attributeRestrictions: null + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: + - batch + attributeRestrictions: null + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + - deployments + - deployments/scale + - ingresses + - replicasets + - replicasets/scale + - replicationcontrollers/scale + verbs: + - get + - list + - watch +- apiGroups: + - policy + attributeRestrictions: null + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets/scale + verbs: + - get +- apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets/scale + verbs: + - list +- apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets/scale + verbs: + - watch +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - get +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - list +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - watch +- apiGroups: + - networking.k8s.io + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - get +- apiGroups: + - networking.k8s.io + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - list +- apiGroups: + - networking.k8s.io + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - pods + - replicationcontrollers + - serviceaccounts + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - bindings + - events + - limitranges + - namespaces + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch +- apiGroups: + - batch + attributeRestrictions: null + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - deployments + - deployments/scale + - replicasets + - replicasets/scale + verbs: + - get + - list + - watch +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - deployments + - deployments/scale + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: + - build.openshift.io + - "" + attributeRestrictions: null + resources: + - buildconfigs + - buildconfigs/webhooks + - builds + verbs: + - get + - list + - watch +- apiGroups: + - build.openshift.io + - "" + attributeRestrictions: null + resources: + - builds/log + verbs: + - get + - list + - watch +- apiGroups: + - build.openshift.io + attributeRestrictions: null + resources: + - jenkins + verbs: + - view +- apiGroups: + - apps.openshift.io + - "" + attributeRestrictions: null + resources: + - deploymentconfigs + - deploymentconfigs/scale + verbs: + - get + - list + - watch +- apiGroups: + - apps.openshift.io + - "" + attributeRestrictions: null + resources: + - deploymentconfigs/log + - deploymentconfigs/status + verbs: + - get + - list + - watch +- apiGroups: + - image.openshift.io + - "" + attributeRestrictions: null + resources: + - imagestreamimages + - imagestreammappings + - imagestreams + - imagestreamtags + verbs: + - get + - list + - watch +- apiGroups: + - image.openshift.io + - "" + attributeRestrictions: null + resources: + - imagestreams/status + verbs: + - get + - list + - watch +- apiGroups: + - project.openshift.io + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - get +- apiGroups: + - quota.openshift.io + - "" + attributeRestrictions: null + resources: + - appliedclusterresourcequotas + verbs: + - get + - list + - watch +- apiGroups: + - route.openshift.io + - "" + attributeRestrictions: null + resources: + - routes + verbs: + - get + - list + - watch +- apiGroups: + - route.openshift.io + - "" + attributeRestrictions: null + resources: + - routes/status + verbs: + - get + - list + - watch +- apiGroups: + - template.openshift.io + - "" + attributeRestrictions: null + resources: + - processedtemplates + - templateconfigs + - templateinstances + - templates + verbs: + - get + - list + - watch +- apiGroups: + - build.openshift.io + - "" + attributeRestrictions: null + resources: + - buildlogs + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - resourcequotausages + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - list +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets + verbs: + - get +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets + verbs: + - list +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets + verbs: + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets/scale + verbs: + - get +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets/scale + verbs: + - list +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets/scale + verbs: + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get +- apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + verbs: + - list +- apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + verbs: + - watch +- apiGroups: + - authorization.openshift.io + - rbac.authorization.k8s.io + attributeRestrictions: null + resources: + - rolebindings + - roles + verbs: + - get + - patch +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get +- apiGroups: + - postgres-operator.crunchydata.com + resources: + - postgresclusters + verbs: + - get + - list + +{{ end }} \ No newline at end of file diff --git a/openshift/crunchydb/charts/tools/templates/linter/linterRoleBinding.yaml b/openshift/crunchydb/charts/tools/templates/linter/linterRoleBinding.yaml new file mode 100644 index 000000000..ebb16624d --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/linter/linterRoleBinding.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.linter.serviceAccount.enabled (eq .Release.Namespace .Values.provisioner.namespace) }} + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-linter + labels: {{ include "crunchy-postgres-tools.labels" . | nindent 4}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-linter +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-linter + namespace: {{ .Values.linter.namespace }} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/linter/linterServiceAccount.yaml b/openshift/crunchydb/charts/tools/templates/linter/linterServiceAccount.yaml new file mode 100644 index 000000000..cc1d53ec5 --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/linter/linterServiceAccount.yaml @@ -0,0 +1,10 @@ +{{- if and .Values.linter.serviceAccount.enabled (eq .Release.Namespace .Values.provisioner.namespace)}} + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ .Release.Name }}-linter + labels: {{ include "crunchy-postgres-tools.labels" . | nindent 4}} + namespace: {{ .Values.linter.namespace }} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/networking/networkPolicy.yaml b/openshift/crunchydb/charts/tools/templates/networking/networkPolicy.yaml new file mode 100644 index 000000000..56b5d77c1 --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/networking/networkPolicy.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.networking.networkPolicy.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ or .Values.deploymentName .Release.Name }}-allow-route-ingress + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} +spec: + # This policy allows any pod with a route & service combination + # to accept traffic from the OpenShift router pods. This is + # required for things outside of OpenShift (like the Internet) + # to reach your pods. + ingress: + - from: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress + podSelector: {} + policyTypes: + - Ingress + +{{- end }} diff --git a/openshift/crunchydb/charts/tools/templates/networking/podNetworkPolicy.yaml b/openshift/crunchydb/charts/tools/templates/networking/podNetworkPolicy.yaml new file mode 100644 index 000000000..b706a96c0 --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/networking/podNetworkPolicy.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.networking.podNetworkPolicy.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ or .Values.deploymentName .Release.Name }}-allow-same-namespace + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} +spec: + # This policy allows pods to accept traffic from other pods in this namespace + ingress: + - from: + - podSelector: {} + podSelector: {} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/networking/route.yaml b/openshift/crunchydb/charts/tools/templates/networking/route.yaml new file mode 100644 index 000000000..55cc81f35 --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/networking/route.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.networking.route.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ template "crunchy-postgres-tools.fullname" . }} + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} +spec: + host: {{ .Values.networking.route.host }} + port: + targetPort: {{ template "crunchy-postgres-tools.fullname" . }} + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: {{ template "crunchy-postgres-tools.fullname" . }} + weight: 100 + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRole.yaml b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRole.yaml new file mode 100644 index 000000000..fa677b65f --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRole.yaml @@ -0,0 +1,237 @@ +{{ if .Values.provisioner.serviceAccount.enabled }} + +apiVersion: authorization.openshift.io/v1 +kind: Role +metadata: + labels: {{ include "crunchy-postgres-tools.labels" . | nindent 4}} + annotations: + openshift.io/description: A user who can deploy applications + openshift.io/reconcile-protect: "false" + name: {{ .Release.Name }}-provisioner +rules: + - apiGroups: + - image.openshift.io + resources: + - imagestreamimages + - imagestreammappings + - imagestreams + - imagestreamtags + verbs: + - get + - list + - watch + - update + - apiGroups: + - image.openshift.io + resources: + - imagestreamtags + verbs: + - delete + - apiGroups: + - project.openshift.io + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - replicationcontrollers + - persistentvolumeclaims + - services + - secrets + - configmaps + - endpoints + - pods + - pods/exec + verbs: + - watch + - list + - get + - create + - update + - patch + - delete + - deletecollection + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods/status + - pods/log + verbs: + - watch + - list + - get + - apiGroups: + - apps.openshift.io + attributeRestrictions: null + resources: + - deploymentconfigs + verbs: + - get + - create + - update + - patch + - apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets + verbs: + - get + - create + - delete + - update + - patch + - apiGroups: + - route.openshift.io + attributeRestrictions: null + resources: + - routes + verbs: + - list + - get + - create + - update + - patch + - delete + - apiGroups: + - template.openshift.io + attributeRestrictions: null + resources: + - processedtemplates + - templates + verbs: + - create + - patch + - apiGroups: + - route.openshift.io + attributeRestrictions: null + resources: + - routes + verbs: + - get + - create + - update + - patch + - apiGroups: + - route.openshift.io + - "" + attributeRestrictions: null + resources: + - routes/custom-host + verbs: + - create + - apiGroups: + - batch + attributeRestrictions: null + resources: + - jobs + - cronjobs + verbs: + - get + - create + - update + - patch + - delete + - watch + - list + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - "rbac.authorization.k8s.io" + - "authorization.openshift.io" + resources: + - roles + - rolebindings + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - extensions + - apps + resources: + - deployments + - replicasets + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - list + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - artifactory.devops.gov.bc.ca + resources: + - artifactoryserviceaccounts + verbs: + - get + - list + - apiGroups: + - postgres-operator.crunchydata.com + resources: + - postgresclusters + verbs: + - get + - list + - create + - update + - patch + - delete + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRoleBinding.yaml b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRoleBinding.yaml new file mode 100644 index 000000000..f89476fff --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRoleBinding.yaml @@ -0,0 +1,19 @@ +{{ if .Values.provisioner.serviceAccount.enabled }} + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-provisioner + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-provisioner +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-provisioner + namespace: {{ .Values.provisioner.namespace }} + + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/provisioner/provisionerServiceAccount.yaml b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerServiceAccount.yaml new file mode 100644 index 000000000..fe04e79cc --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerServiceAccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.provisioner.serviceAccount.enabled (eq .Release.Namespace .Values.provisioner.namespace) }} + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ .Release.Name }}-provisioner + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4 }} + namespace: {{ .Values.provisioner.namespace }} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/values.yaml b/openshift/crunchydb/charts/tools/values.yaml new file mode 100644 index 000000000..0cd0cf421 --- /dev/null +++ b/openshift/crunchydb/charts/tools/values.yaml @@ -0,0 +1,31 @@ +fullnameOverride: crunchy-postgres-tools +deploymentName: crunchy-postgres + +deployer: + serviceAccount: + enabled: true + +# Enable the provisioner service account which is used to deploy services to our other namespaces (dev/test/prod) +# The tools namespace needs to be passed in so we know which namespace to install the service account in and the rolebindings get proper permissions +provisioner: + namespace: #tools-namespace + serviceAccount: + enabled: true + +# Service account with fairly low permissions for the linter +linter: + serviceAccount: + enabled: true + +networking: + # Network policy to allow traffic from outside the namespace (like the internet) + networkPolicy: + enabled: true + # Pod network policy to allow pods to accept traffic from other pods in this namespace + podNetworkPolicy: + enabled: true + # Enable OpenShift route whitch allows you to host your application at a public URL + route: + enabled: false + host: # eg: crunchy-postgres-namespace.apps.silver.devops.gov.bc.ca +