From 31402fe4421cb2e25ec4b40714173a9234b6ca97 Mon Sep 17 00:00:00 2001 From: Walter Moar Date: Wed, 4 Dec 2024 19:49:14 +0000 Subject: [PATCH 1/8] fix: set up crunchydb for fider We need to do database upgrades, and part of that is to replace the standalone PostgreSQL pod with a CrunchyDB cluster. --- openshift/fider/README.md | 19 +++++++++++++++++++ .../fider/values-crunchy-postgres-fider.yaml | 2 ++ openshift/fider/values-tools-fider.yaml | 18 ++++++++++++++++++ 3 files changed, 39 insertions(+) create mode 100644 openshift/fider/README.md create mode 100644 openshift/fider/values-crunchy-postgres-fider.yaml create mode 100644 openshift/fider/values-tools-fider.yaml diff --git a/openshift/fider/README.md b/openshift/fider/README.md new file mode 100644 index 000000000..4ff188ee8 --- /dev/null +++ b/openshift/fider/README.md @@ -0,0 +1,19 @@ +# Fider + +Fider uses CrunchyDB as its highly available database. CrunchyDB uses Patroni, +which uses PostgreSQL as the database. + +## Installation + +CrunchyDB is installed using the +[Helm chart](https://github.com/bcgov/crunchy-postgres) provided by the fine +folks over at platform services. Clone this repo. + +> TBD: should we make a copy of it in our repo, so that a recreate uses the same +> charts? Probably. + +```sh +export HELM_CHART_DIR= +$ helm -n a12c97-tools upgrade --install crunchy-tools-fider $HELM_CHART_DIR/charts/tools -f values-tools-fider.yaml +$ helm -n a12c97-tools upgrade --install crunchy-postgres-fider $HELM_CHART_DIR/charts/crunchy-postgres -f values-crunchy-postgres-fider.yaml +``` diff --git a/openshift/fider/values-crunchy-postgres-fider.yaml b/openshift/fider/values-crunchy-postgres-fider.yaml new file mode 100644 index 000000000..059c87a72 --- /dev/null +++ b/openshift/fider/values-crunchy-postgres-fider.yaml @@ -0,0 +1,2 @@ +deploymentName: crunchy-postgres-fider +fullnameOverride: crunchy-postgres-tools-fider diff --git a/openshift/fider/values-tools-fider.yaml b/openshift/fider/values-tools-fider.yaml new file mode 100644 index 000000000..c0659649a --- /dev/null +++ b/openshift/fider/values-tools-fider.yaml @@ -0,0 +1,18 @@ +fullnameOverride: crunchy-postgres-fider + +postgresVersion: 16 + +instances: + replicas: 3 + dataVolumeClaimSpec: + storage: 512Mi + +pgBackRest: + repos: + schedules: + full: 0 12 * * * + incremental: 0 0,4,8,16,20 * * * + +proxy: + pgBouncer: + replicas: 3 From 924610cd0b23a8026405bdb578fb7ebb789ef862 Mon Sep 17 00:00:00 2001 From: Walter Moar Date: Fri, 13 Dec 2024 21:49:38 +0000 Subject: [PATCH 2/8] feat: copy crunchy-postgres helm charts We copy over the Helm charts so that our deployments are consistent and don't change due to changes in the external repo. --- openshift/crunchydb/README.md | 13 + .../charts/crunchy-postgres/.helmignore | 23 + .../charts/crunchy-postgres/Chart.yaml | 26 + .../charts/crunchy-postgres/README.md | 131 +++++ .../templates/PostgresCluster.yaml | 217 ++++++++ .../crunchy-postgres/templates/_helpers.tpl | 62 +++ .../charts/crunchy-postgres/templates/_s3.tpl | 18 + .../crunchy-postgres/templates/s3Secret.yaml | 11 + .../charts/crunchy-postgres/values.yaml | 136 +++++ openshift/crunchydb/charts/tools/.helmignore | 23 + openshift/crunchydb/charts/tools/Chart.yaml | 24 + openshift/crunchydb/charts/tools/README.md | 80 +++ .../charts/tools/templates/_helpers.tpl | 62 +++ .../templates/deployer/deployerRole.yaml | 217 ++++++++ .../deployer/deployerRoleBinding.yaml | 18 + .../deployer/deployerServiceAccount.yaml | 11 + .../tools/templates/linter/linterRole.yaml | 497 ++++++++++++++++++ .../templates/linter/linterRoleBinding.yaml | 17 + .../linter/linterServiceAccount.yaml | 10 + .../templates/networking/networkPolicy.yaml | 23 + .../networking/podNetworkPolicy.yaml | 16 + .../tools/templates/networking/route.yaml | 21 + .../provisioner/provisionerRole.yaml | 237 +++++++++ .../provisioner/provisionerRoleBinding.yaml | 19 + .../provisionerServiceAccount.yaml | 11 + openshift/crunchydb/charts/tools/values.yaml | 31 ++ 26 files changed, 1954 insertions(+) create mode 100644 openshift/crunchydb/README.md create mode 100644 openshift/crunchydb/charts/crunchy-postgres/.helmignore create mode 100644 openshift/crunchydb/charts/crunchy-postgres/Chart.yaml create mode 100644 openshift/crunchydb/charts/crunchy-postgres/README.md create mode 100644 openshift/crunchydb/charts/crunchy-postgres/templates/PostgresCluster.yaml create mode 100644 openshift/crunchydb/charts/crunchy-postgres/templates/_helpers.tpl create mode 100644 openshift/crunchydb/charts/crunchy-postgres/templates/_s3.tpl create mode 100644 openshift/crunchydb/charts/crunchy-postgres/templates/s3Secret.yaml create mode 100644 openshift/crunchydb/charts/crunchy-postgres/values.yaml create mode 100644 openshift/crunchydb/charts/tools/.helmignore create mode 100644 openshift/crunchydb/charts/tools/Chart.yaml create mode 100644 openshift/crunchydb/charts/tools/README.md create mode 100644 openshift/crunchydb/charts/tools/templates/_helpers.tpl create mode 100644 openshift/crunchydb/charts/tools/templates/deployer/deployerRole.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/deployer/deployerRoleBinding.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/deployer/deployerServiceAccount.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/linter/linterRole.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/linter/linterRoleBinding.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/linter/linterServiceAccount.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/networking/networkPolicy.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/networking/podNetworkPolicy.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/networking/route.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/provisioner/provisionerRole.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/provisioner/provisionerRoleBinding.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/provisioner/provisionerServiceAccount.yaml create mode 100644 openshift/crunchydb/charts/tools/values.yaml diff --git a/openshift/crunchydb/README.md b/openshift/crunchydb/README.md new file mode 100644 index 000000000..dc2575574 --- /dev/null +++ b/openshift/crunchydb/README.md @@ -0,0 +1,13 @@ +# Fider + +Fider uses CrunchyDB as its highly available database. CrunchyDB uses Patroni, +which uses PostgreSQL as the database. + +## Installation + +This CrunchyDB installation use the +[Helm chart](https://github.com/bcgov/crunchy-postgres) provided by the fine +folks over at platform services. The `charts` directory has been copied here +from commit `91d32cb` so that changes to the upstream repo don't unexpectedly +change our deployments. This stability and consistency comes at the cost of +added maintenance effort to stay in sync. diff --git a/openshift/crunchydb/charts/crunchy-postgres/.helmignore b/openshift/crunchydb/charts/crunchy-postgres/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/openshift/crunchydb/charts/crunchy-postgres/Chart.yaml b/openshift/crunchydb/charts/crunchy-postgres/Chart.yaml new file mode 100644 index 000000000..80c889da4 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/Chart.yaml @@ -0,0 +1,26 @@ +apiVersion: v2 +name: crunchy-postgres +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.6.3 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. + +# Crunchy Postgres Operator version +appVersion: "5.0.4" diff --git a/openshift/crunchydb/charts/crunchy-postgres/README.md b/openshift/crunchydb/charts/crunchy-postgres/README.md new file mode 100644 index 000000000..aee58b659 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/README.md @@ -0,0 +1,131 @@ +# Crunchy Postgres chart + +A chart to provision a [Crunchy Postgres](https://www.crunchydata.com/) cluster. + +## Configuration + +### Crunchy Options + +| Parameter | Description | Default | +| ------------------ | ---------------------- | ------------------ | +| `fullnameOverride` | Override release name | `crunchy-postgres` | +| `crunchyImage` | Crunchy Postgres image | | +| `postgresVersion` | Postgres version | `14` | + +--- + +### Instances + +| Parameter | Description | Default | +| ------------------------------------------- | ------------------------------ | ------------------------ | +| `instances.name` | Instance name | `ha` (high availability) | +| `instances.replicas` | Number of replicas | `2` | +| `instances.dataVolumeClaimSpec.storage` | Amount of storage for each PVC | `480Mi` | +| `instances.requests.cpu` | CPU requests | `1m` | +| `instances.requests.memory` | Memory requests | `256Mi` | +| `instances.limits.cpu` | CPU limits | `100m` | +| `instances.limits.memory` | Memory limits | `512Mi` | +| `instances.replicaCertCopy.requests.cpu` | replicaCertCopy CPU requests | `1m` | +| `instances.replicaCertCopy.requests.memory` | replicaCertCopyMemory requests | `32Mi` | +| `instances.replicaCertCopy.limits.cpu` | replicaCertCopyCPU limits | `50m` | +| `instances.replicaCertCopy.limits.memory` | replicaCertCopy Memory limits | `64Mi` | + +--- + +### pgBackRest - Reliable PostgreSQL Backup & Restore + +[pgBackRest site](https://pgbackrest.org/) +[Crunchy pgBackRest docs](https://access.crunchydata.com/documentation/pgbackrest/latest/) + +| Parameter | Description | Default | +| ---------------------------------------------------- | ------------------------------------------------------------- | ---------------------- | +| `pgBackRest.image` | Crunchy pgBackRest | | +| `pgBackRest.retention` | Number of backups/days to keep depending on retentionFullType | `2` | +| `pgBackRest.retentionFullType` | Either 'count' or 'time' | `count` | +| `pgBackRest.repos.schedules.full` | Full backup schedule | `0 8 * * *` | +| `pgBackRest.repos.schedules.incremental` | Incremental backup schedule | `0 0,4,12,16,20 * * *` | +| `pgBackRest.repos.schedules.volume.addessModes` | Access modes | `ReadWriteOnce` | +| `pgBackRest.repos.schedules.volume.storage` | Access modes | `64Mi` | +| `pgBackRest.repos.schedules.volume.storageClassName` | Storage class name modes | `netapp-file-backup` | +| `pgBackRest.repoHost.requests.cpu` | CPU requests | `1m` | +| `pgBackRest.repoHost.requests.memory` | Memory requests | `64Mi` | +| `pgBackRest.repoHost.limits.cpu` | CPU limits | `50m` | +| `pgBackRest.repoHost.limits.memory` | Memory limits | `128Mi` | +| `pgBackRest.sidecars.requests.cpu` | sidecars CPU requests | `1m` | +| `pgBackRest.sidecars.requests.memory` | sidecars Memory requests | `64Mi` | +| `pgBackRest.sidecars.limits.cpu` | sidecars CPU limits | `50m` | +| `pgBackRest.sidecars.limits.memory` | sidecars Memory limits | `128Mi` | +| `pgBackRest.s3.enabled` | Enables the s3 repo backups | `false` | +| `pgBackRest.s3.createS3Secret` | Creates the s3 secret based on key and keySecret | `true` | +| `pgBackRest.s3.s3Secret` | The secret name to be created or read from | `s3-pgbackrest` | +| `pgBackRest.s3.s3Path` | The path inside the bucket where the backups will be saved to, set it to `/` to use the root of the bucket. | `/dbbackup` | +| `pgBackRest.s3.s3UriStyle` | Style of URL to use for S3 communication. [More Info](https://pgbackrest.org/configuration.html#section-repository/option-repo-s3-uri-style) | `path` | +| `pgBackRest.s3.bucket` | The bucket to use for backups | `bucketName` | +| `pgBackRest.s3.endpoint` | The endpoint to use, for example s3.ca-central-1.amazonaws.com | `endpointName` | +| `pgBackRest.s3.region` | The region to use, not necessary if your S3 system does not specify one | `ca-central-1` | +| `pgBackRest.s3.key` | The key to use to access the bucket. MUST BE KEPT SECRET | `s3KeyValue` | +| `pgBackRest.s3.keySecret` | The key secret for the key set above. MUST BE KEPT SECRET | `s3SecretValue` | +--- + +### Patroni + +[Patroni docs](https://patroni.readthedocs.io/en/latest/) +[Crunchy Patroni docs](https://access.crunchydata.com/documentation/patroni/latest/) + +| Parameter | Description | Default | +| ------------------------------------------- | ------------------------------------------------------------------- | --------------------------------- | +| `patroni.postgresql.pg_hba` | pg_hba permissions | `"host all all 0.0.0.0/0 md5"` | +| `crunchyImage` | Crunchy Postgres image | `...crunchy-postgres:ubi8-14.7-0` | +| `patroni.parameters.shared_buffers` | The number of shared memory buffers used by the server | `16MB` | +| `patroni.parameters.wal_buffers` | The number of disk-page buffers in shared memory for WAL | `64KB` | +| `patroni.parameters.min_wal_size` | The minimum size to shrink the WAL to | `32MB` | +| `patroni.parameters.max_wal_size` | Sets the WAL size that triggers a checkpoint | `64MB` | +| `patroni.parameters.max_slot_wal_keep_size` | Sets the maximum WAL size that can be reserved by replication slots | `128MB` | + +--- + +### pgBouncer + +A lightweight connection pooler for PostgreSQL + +[pgBouncer site](https://www.pgbouncer.org/) +[Crunchy Postgres pgBouncer docs](https://access.crunchydata.com/documentation/pgbouncer/latest/) + +| Parameter | Description | Default | +| --------------------------------- | ----------------------- | ------- | +| `proxy.pgBouncer.image` | Crunchy pgBouncer image | | +| `proxy.pgBouncer.replicas` | Number of replicas | `2` | +| `proxy.pgBouncer.requests.cpu` | CPU requests | `1m` | +| `proxy.pgBouncer.requests.memory` | Memory requests | `64Mi` | +| `proxy.pgBouncer.limits.cpu` | CPU limits | `50m` | +| `proxy.pgBouncer.limits.memory` | Memory limits | `128Mi` | + +--- + +## PG Monitor + +[Crunchy Postgres PG Monitor docs](https://access.crunchydata.com/documentation/pgmonitor/latest/) + +| Parameter | Description | Default | +| ------------------------------------ | ---------------------------------------------- | ------- | +| `pgmonitor.enabled` | Enable PG Monitor (currently only PG exporter) | `false` | +| `pgmonitor.exporter.requests.cpu` | PG Monitor CPU requests | `1m` | +| `pgmonitor.exporter.requests.memory` | PG Monitor Memory requests | `64Mi` | +| `pgmonitor.exporter.limits.cpu` | PG Monitor CPU limits | `50m` | +| `pgmonitor.exporter.limits.memory` | PG Monitor Memory limits | `128Mi` | + +#### Postgres Exporter + +A [Prometheus](https://prometheus.io/) exporter for PostgreSQL + +[Postgres Exporter](https://github.com/prometheus-community/postgres_exporter) + +| Parameter | Description | Default | +| ------------------------------------ | ------------------------- | ------- | +| `pgmonitor.exporter.image` | Crunchy PG Exporter image | | +| `pgmonitor.exporter.requests.cpu` | CPU requests | `1m` | +| `pgmonitor.exporter.requests.memory` | Memory requests | `64Mi` | +| `pgmonitor.exporter.limits.cpu` | CPU limits | `50m` | +| `pgmonitor.exporterr.limits.memory` | Memory limits | `128Mi` | + +--- diff --git a/openshift/crunchydb/charts/crunchy-postgres/templates/PostgresCluster.yaml b/openshift/crunchydb/charts/crunchy-postgres/templates/PostgresCluster.yaml new file mode 100644 index 000000000..e2b31d172 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/templates/PostgresCluster.yaml @@ -0,0 +1,217 @@ +apiVersion: postgres-operator.crunchydata.com/v1beta1 +kind: PostgresCluster +metadata: + name: {{ template "crunchy-postgres.fullname" . }} + labels: {{ include "crunchy-postgres.labels" . | nindent 4 }} +spec: + metadata: + labels: {{ include "crunchy-postgres.labels" . | nindent 6 }} + {{ if .Values.crunchyImage }} + image: {{ .Values.crunchyImage }} + {{ end }} + imagePullPolicy: {{.Values.imagePullPolicy}} + postgresVersion: {{ .Values.postgresVersion }} + {{ if .Values.postGISVersion }} + postGISVersion: {{ .Values.postGISVersion | quote }} + {{ end }} + postgresVersion: {{ .Values.postgresVersion }} + + {{ if .Values.pgmonitor.enabled }} + + monitoring: + pgmonitor: + # this stuff is for the "exporter" container in the "postgres-cluster-ha" set of pods + exporter: + {{ if .Values.pgmonitor.exporter.image}} + image: {{ .Values.pgmonitor.exporter.image}} + {{ end }} + resources: + requests: + cpu: {{ .Values.pgmonitor.exporter.requests.cpu }} + memory: {{ .Values.pgmonitor.exporter.requests.memory }} + limits: + cpu: {{ .Values.pgmonitor.exporter.limits.cpu }} + memory: {{ .Values.pgmonitor.exporter.limits.memory }} + + {{ end }} + + instances: + - name: {{ .Values.instances.name }} + replicas: {{ .Values.instances.replicas }} + resources: + requests: + cpu: {{ .Values.instances.requests.cpu }} + memory: {{ .Values.instances.requests.memory }} + limits: + cpu: {{ .Values.instances.limits.cpu }} + memory: {{ .Values.instances.limits.memory }} + sidecars: + replicaCertCopy: + resources: + requests: + cpu: {{ .Values.instances.replicaCertCopy.requests.cpu }} + memory: {{ .Values.instances.replicaCertCopy.requests.memory }} + limits: + cpu: {{ .Values.instances.replicaCertCopy.limits.cpu }} + memory: {{ .Values.instances.replicaCertCopy.limits.memory }} + dataVolumeClaimSpec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: {{ .Values.instances.dataVolumeClaimSpec.storage }} + storageClassName: {{ .Values.instances.dataVolumeClaimSpec.storageClassName }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: topology.kubernetes.io/zone + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: + {{ template "crunchy-postgres.fullname" . }} + postgres-operator.crunchydata.com/instance-set: {{ .Values.instances.name }}-ha + + users: + - name: {{ template "crunchy-postgres.fullname" . }} + databases: + - {{ template "crunchy-postgres.fullname" . }} + options: "CREATEROLE" + - name: postgres + databases: + - {{ template "crunchy-postgres.fullname" . }} + + {{ if .Values.dataSource.enabled }} + dataSource: + pgbackrest: + configuration: + - secret: + name: {{ .Values.dataSource.secretName }} + global: + repo2-path: {{ .Values.dataSource.repo.path }} + repo: + name: {{ .Values.dataSource.repo.name }} + s3: + bucket: {{ .Values.dataSource.repo.s3.bucket }} + endpoint: {{ .Values.dataSource.repo.s3.endpoint }} + region: {{ .Values.dataSource.repo.s3.region }} + stanza: {{ .Values.dataSource.stanza }} + {{ end }} + + backups: + pgbackrest: + {{ if .Values.pgBackRest.image }} + image: {{ .Values.pgBackRest.image }} + {{ end }} + {{- if .Values.pgBackRest.s3.enabled }} + configuration: + - secret: + name: {{ .Values.pgBackRest.s3.s3Secret }} + {{- end }} + global: + # Support both PVC and s3 backups + repo1-retention-full: {{ .Values.pgBackRest.retention | quote }} + repo1-retention-full-type: {{ .Values.pgBackRest.retentionFullType }} + {{- if .Values.pgBackRest.s3.enabled }} + repo2-retention-full: {{ .Values.pgBackRest.retention | quote }} + repo2-retention-full-type: {{ .Values.pgBackRest.retentionFullType }} + repo2-path: {{ .Values.pgBackRest.s3.s3Path }} + repo2-s3-uri-style: {{ .Values.pgBackRest.s3.s3UriStyle }} + {{- end }} + repos: + # hardcoding repo1 until we solution allowing multiple repos + - name: repo1 + schedules: + full: {{ .Values.pgBackRest.repos.schedules.full }} + incremental: {{ .Values.pgBackRest.repos.schedules.incremental }} + volume: + volumeClaimSpec: + accessModes: + - {{ .Values.pgBackRest.repos.volume.accessModes }} + resources: + requests: + storage: {{ .Values.pgBackRest.repos.volume.storage }} + storageClassName: {{ .Values.pgBackRest.repos.volume.storageClassName }} + {{- if .Values.pgBackRest.s3.enabled }} + - name: repo2 + schedules: + full: {{ if .Values.pgBackRest.s3.fullSchedule }}{{ .Values.pgBackRest.s3.fullSchedule }}{{ else }}{{ .Values.pgBackRest.repos.schedules.full }}{{ end }} + incremental: {{ if .Values.pgBackRest.s3.incrementalSchedule }}{{ .Values.pgBackRest.s3.incrementalSchedule }}{{ else }}{{ .Values.pgBackRest.repos.schedules.incremental }}{{ end }} + s3: + bucket: {{ .Values.pgBackRest.s3.bucket }} + endpoint: {{ .Values.pgBackRest.s3.endpoint }} + region: {{ .Values.pgBackRest.s3.region }} + {{- end }} + # this stuff is for the "pgbackrest" container (the only non-init container) in the "postgres-crunchy-repo-host" pod + repoHost: + resources: + requests: + cpu: {{ .Values.pgBackRest.repoHost.requests.cpu }} + memory: {{ .Values.pgBackRest.repoHost.requests.memory }} + limits: + cpu: {{ .Values.pgBackRest.repoHost.limits.cpu }} + memory: {{ .Values.pgBackRest.repoHost.limits.memory }} + sidecars: + # this stuff is for the "pgbackrest" container in the "postgres-crunchy-ha" set of pods + pgbackrest: + resources: + requests: + cpu: {{ .Values.pgBackRest.sidecars.requests.cpu }} + memory: {{ .Values.pgBackRest.sidecars.requests.memory }} + limits: + cpu: {{ .Values.pgBackRest.sidecars.limits.cpu }} + memory: {{ .Values.pgBackRest.sidecars.limits.memory }} + pgbackrestConfig: + resources: + requests: + cpu: {{ .Values.pgBackRest.sidecars.requests.cpu }} + memory: {{ .Values.pgBackRest.sidecars.requests.memory }} + limits: + cpu: {{ .Values.pgBackRest.sidecars.limits.cpu }} + memory: {{ .Values.pgBackRest.sidecars.limits.memory }} + standby: + enabled: {{ .Values.standby.enabled }} + repoName: {{ .Values.standby.repoName }} + + patroni: + dynamicConfiguration: + postgresql: + pg_hba: + - {{ .Values.patroni.postgresql.pg_hba}} + parameters: + shared_buffers: {{ .Values.patroni.postgresql.parameters.shared_buffers }} + wal_buffers: {{ .Values.patroni.postgresql.parameters.wal_buffers }} + min_wal_size: {{ .Values.patroni.postgresql.parameters.min_wal_size }} + max_wal_size: {{ .Values.patroni.postgresql.parameters.max_wal_size }} + max_slot_wal_keep_size: {{ .Values.patroni.postgresql.parameters.max_slot_wal_keep_size }} + + proxy: + pgBouncer: + config: + global: + client_tls_sslmode: disable + {{ if .Values.proxy.pgBouncer.image }} + image: {{ .Values.proxy.pgBouncer.image }} + {{ end }} + replicas: {{ .Values.proxy.pgBouncer.replicas }} + # these resources are for the "pgbouncer" container in the "postgres-crunchy-ha-pgbouncer" set of pods + # there is a sidecar in these pods which are not mentioned here, but the requests/limits are teeny weeny by default so no worries there. + resources: + requests: + cpu: {{ .Values.proxy.pgBouncer.requests.cpu }} + memory: {{ .Values.proxy.pgBouncer.requests.memory }} + limits: + cpu: {{ .Values.proxy.pgBouncer.limits.cpu }} + memory: {{ .Values.proxy.pgBouncer.limits.memory }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: topology.kubernetes.io/zone + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: + {{ .Values.instances.name }} + postgres-operator.crunchydata.com/role: pgbouncer diff --git a/openshift/crunchydb/charts/crunchy-postgres/templates/_helpers.tpl b/openshift/crunchydb/charts/crunchy-postgres/templates/_helpers.tpl new file mode 100644 index 000000000..584e9ad6c --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "crunchy-postgres.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "crunchy-postgres.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "crunchy-postgres.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "crunchy-postgres.labels" -}} +helm.sh/chart: {{ include "crunchy-postgres.chart" . }} +{{ include "crunchy-postgres.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "crunchy-postgres.selectorLabels" -}} +app.kubernetes.io/name: {{ include "crunchy-postgres.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "crunchy-postgres.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "crunchy-postgres.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/openshift/crunchydb/charts/crunchy-postgres/templates/_s3.tpl b/openshift/crunchydb/charts/crunchy-postgres/templates/_s3.tpl new file mode 100644 index 000000000..9f71811f7 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/templates/_s3.tpl @@ -0,0 +1,18 @@ +{{/* Allow for S3 secret information to be stored in a Secret */}} +{{- define "postgres.s3" }} +[global] +{{- if .s3 }} + {{- if .s3.key }} +repo{{ add .index 1 }}-s3-key={{ .s3.key }} + {{- end }} + {{- if .s3.keySecret }} +repo{{ add .index 1 }}-s3-key-secret={{ .s3.keySecret }} + {{- end }} + {{- if .s3.keyType }} +repo{{ add .index 1 }}-s3-key-type={{ .s3.keyType }} + {{- end }} + {{- if .s3.encryptionPassphrase }} +repo{{ add .index 1 }}-cipher-pass={{ .s3.encryptionPassphrase }} + {{- end }} +{{- end }} +{{ end }} \ No newline at end of file diff --git a/openshift/crunchydb/charts/crunchy-postgres/templates/s3Secret.yaml b/openshift/crunchydb/charts/crunchy-postgres/templates/s3Secret.yaml new file mode 100644 index 000000000..5c1aef224 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/templates/s3Secret.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.pgBackRest.s3.enabled .Values.pgBackRest.s3.createS3Secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.pgBackRest.s3.s3Secret }} +type: Opaque +data: + {{- $args := dict "s3" .Values.pgBackRest.s3 "index" 1 }} + s3.conf: |- + {{ include "postgres.s3" $args | b64enc }} +{{- end }} \ No newline at end of file diff --git a/openshift/crunchydb/charts/crunchy-postgres/values.yaml b/openshift/crunchydb/charts/crunchy-postgres/values.yaml new file mode 100644 index 000000000..6959ac570 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/values.yaml @@ -0,0 +1,136 @@ +fullnameOverride: crunchy-postgres + +crunchyImage: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default +#crunchyImage: artifacts.developer.gov.bc.ca/bcgov-docker-local/crunchy-postgres-gis:ubi8-15.2-3.3-0 # use this image for POSTGIS +postgresVersion: 15 +#postGISVersion: '3.3' # use this version of POSTGIS. both crunchyImage and this property needs to have valid values for POSTGIS to be enabled. +imagePullPolicy: IfNotPresent + +# enable to bootstrap a standby cluster from backup. Then disable to promote this standby to primary +standby: + enabled: false + # If you want to recover from PVC, use repo1. If you want to recover from S3, use repo2 + repoName: repo2 + +instances: + name: ha # high availability + replicas: 2 + dataVolumeClaimSpec: + storage: 480Mi + storageClassName: netapp-block-standard + requests: + cpu: 1m + memory: 256Mi + limits: + cpu: 100m + memory: 512Mi + replicaCertCopy: + requests: + cpu: 1m + memory: 32Mi + limits: + cpu: 50m + memory: 64Mi + +# If we need to restore the cluster from a backup, we need to set the following values +# assuming restore from repo2 (s3), adjust as needed if your S3 repo is different +dataSource: + enabled: false + # should have the same name and contain the same keys as the pgbackrest secret + secretName: s3-pgbackrest + repo: + name: repo2 + path: "/habackup" + s3: + bucket: "bucketName" + endpoint: "s3.ca-central-1.amazonaws.com" + region: "ca-central-1" + stanza: db + +pgBackRest: + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + retention: "2" # Ideally a larger number such as 30 backups/days + # If retention-full-type set to 'count' then the oldest backups will expire when the number of backups reach the number defined in retention + # If retention-full-type set to 'time' then the number defined in retention will take that many days worth of full backups before expiration + retentionFullType: count + repos: + schedules: + full: 0 8 * * * + incremental: 0 0,4,12,16,20 * * * + volume: + accessModes: "ReadWriteOnce" + storage: 64Mi + storageClassName: netapp-file-backup + repoHost: + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + sidecars: + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + s3: + enabled: false + createS3Secret: true + # the s3 secret name + s3Secret: s3-pgbackrest + # the path start with /, it will be created under bucket if it doesn't exist + s3Path: "/habackup" + # s3UriStyle is host or path + s3UriStyle: path + # bucket specifies the S3 bucket to use, + bucket: "bucketName" + # endpoint specifies the S3 endpoint to use. + endpoint: "endpointName" + # region specifies the S3 region to use. If your S3 storage system does not + # use "region", fill this in with a random value. + region: "ca-central-1" + # key is the S3 key. This is stored in a Secret. + # Please DO NOT push this value to GitHub + key: "s3keyValue" + # keySecret is the S3 key secret. This is stored in a Secret. + # Please DO NOT push this value to GitHub + keySecret: "s3SecretValue" + # setting the below to be one plus of the default schedule + # to avoid conflicts + fullSchedule: "0 9 * * *" + incrementalSchedule: "0 1,5,13,17,21 * * *" + +patroni: + postgresql: + pg_hba: "host all all 0.0.0.0/0 md5" + parameters: + shared_buffers: 16MB # default is 128MB; a good tuned default for shared_buffers is 25% of the memory allocated to the pod + wal_buffers: "64kB" # this can be set to -1 to automatically set as 1/32 of shared_buffers or 64kB, whichever is larger + min_wal_size: 32MB + max_wal_size: 64MB # default is 1GB + max_slot_wal_keep_size: 128MB # default is -1, allowing unlimited wal growth when replicas fall behind + +proxy: + pgBouncer: + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + replicas: 2 + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + +# Postgres Cluster resource values: +pgmonitor: + enabled: false + exporter: + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi diff --git a/openshift/crunchydb/charts/tools/.helmignore b/openshift/crunchydb/charts/tools/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/openshift/crunchydb/charts/tools/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/openshift/crunchydb/charts/tools/Chart.yaml b/openshift/crunchydb/charts/tools/Chart.yaml new file mode 100644 index 000000000..fb0e3cfc2 --- /dev/null +++ b/openshift/crunchydb/charts/tools/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: crunchy-postgres-tools +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.3.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.1.0" diff --git a/openshift/crunchydb/charts/tools/README.md b/openshift/crunchydb/charts/tools/README.md new file mode 100644 index 000000000..efc8191f5 --- /dev/null +++ b/openshift/crunchydb/charts/tools/README.md @@ -0,0 +1,80 @@ +# Crunchy Postgres Tools chart + +A chart to provision service accounts and networking templates to our namespaces. + +This chart is meant to be deployed in all namespaces while using the `provisioner.namespace` value to conditionally deploy services in the correct namespaces. + +## Included templates: + +### Service accounts: + +#### Deployer + +A service account to be used to login to OpenShift and deploy your application in CI. This is deployed in all namespaces except for the tools/provisioner namespace. + +| Parameter | Description | Default | +| --------------------------------- | ----------------------------------- | ------- | +| `deployer.serviceAccount.enabled` | Enable the deployer service account | `true` | + +--- + +#### Provisioner + +A service account which is deployed to the tools namespace but the roles and rolebindings are deployed to all namespaces, giving the service account permissions to provision tools to all of the namespaces from the tools namespace. + +| Parameter | Description | Default | +| -------------------------------- | ----------------------------------------- | ------- | +| `deployer.provisioner.enabled` | Enable the provisioner service account | `true` | +| `deployer.provisioner.namespace` | The namespace the provisioner will run in | `true` | + +--- + +#### Linter + +A service account deployed to the /tools namespace and used to login to OpenShift and verify Helm templates. + +| Parameter | Description | Default | +| ------------------------- | --------------------------------- | ------- | +| `deployer.linter.enabled` | Enable the linter service account | `true` | + +--- + +### Networking + +#### Namespace ingress network policy + +Network policy to allow traffic from outside the namespace (like the internet) to access our pods + +| Parameter | Description | Default | +| ---------------------------------- | --------------------------------- | ------- | +| `networking.networkPolicy.enabled` | Enable the ingress network policy | `true` | + +--- + +#### Pod ingress network policy + +Pod network policy to allow pods to accept traffic from other pods in this namespace + +| Parameter | Description | Default | +| ------------------------------------- | ------------------------------------- | ------- | +| `networking.podNetworkPolicy.enabled` | Enable the pod ingress network policy | `true` | + +--- + +#### Route + +OpenShift route whitch allows you to host your application at a public URL. + +| Parameter | Description | Default | +| -------------------------- | -------------------------- | ------- | +| `networking.route.enabled` | Enable the OpenShift route | `true` | +| `networking.route.host` | The OpenShift route host | | + +--- + +## Name overrides + +| Parameter | Description | Default | +| ------------------ | ------------------------------------------ | ------------------------ | +| `fullnameOverride` | Override release name | `crunchy-postgres-tools` | +| `deploymentName` | The name of your dev/test/prod deployments | `crunchy-postgres` | diff --git a/openshift/crunchydb/charts/tools/templates/_helpers.tpl b/openshift/crunchydb/charts/tools/templates/_helpers.tpl new file mode 100644 index 000000000..012711fdc --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "crunchy-postgres-tools.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "crunchy-postgres-tools.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "crunchy-postgres-tools.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "crunchy-postgres-tools.labels" -}} +helm.sh/chart: {{ include "crunchy-postgres-tools.chart" . }} +{{ include "crunchy-postgres-tools.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "crunchy-postgres-tools.selectorLabels" -}} +app.kubernetes.io/name: {{ include "crunchy-postgres-tools.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "crunchy-postgres-tools.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "crunchy-postgres-tools.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/openshift/crunchydb/charts/tools/templates/deployer/deployerRole.yaml b/openshift/crunchydb/charts/tools/templates/deployer/deployerRole.yaml new file mode 100644 index 000000000..4acd4289c --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/deployer/deployerRole.yaml @@ -0,0 +1,217 @@ +{{ if and .Values.deployer.serviceAccount.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +apiVersion: authorization.openshift.io/v1 +kind: Role +metadata: + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} + annotations: + openshift.io/description: A user who can deploy applications + openshift.io/reconcile-protect: "false" + name: {{ or .Values.deploymentName .Release.Name }}-deployer +rules: + - apiGroups: + - image.openshift.io + resources: + - imagestreamimages + - imagestreammappings + - imagestreams + - imagestreamtags + verbs: + - get + - list + - watch + - update + - apiGroups: + - image.openshift.io + resources: + - imagestreamtags + verbs: + - delete + - apiGroups: + - project.openshift.io + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - replicationcontrollers + - persistentvolumeclaims + - services + - secrets + - configmaps + - endpoints + - pods + - pods/exec + verbs: + - watch + - list + - get + - create + - update + - patch + - delete + - deletecollection + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods/status + - pods/log + verbs: + - watch + - list + - get + - apiGroups: + - apps.openshift.io + attributeRestrictions: null + resources: + - deploymentconfigs + verbs: + - get + - create + - update + - patch + - apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets + verbs: + - get + - create + - delete + - update + - patch + - apiGroups: + - route.openshift.io + attributeRestrictions: null + resources: + - routes + verbs: + - list + - get + - create + - update + - patch + - delete + - apiGroups: + - template.openshift.io + attributeRestrictions: null + resources: + - processedtemplates + verbs: + - create + - apiGroups: + - route.openshift.io + - "" + attributeRestrictions: null + resources: + - routes/custom-host + verbs: + - create + - apiGroups: + - batch + attributeRestrictions: null + resources: + - jobs + - cronjobs + verbs: + - get + - create + - update + - patch + - delete + - watch + - list + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - "rbac.authorization.k8s.io" + - "authorization.openshift.io" + resources: + - roles + - rolebindings + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - extensions + - apps + resources: + - deployments + - replicasets + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - list + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - postgres-operator.crunchydata.com + resources: + - postgresclusters + verbs: + - get + - create + - update + - patch + - delete +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/deployer/deployerRoleBinding.yaml b/openshift/crunchydb/charts/tools/templates/deployer/deployerRoleBinding.yaml new file mode 100644 index 000000000..b5d26099f --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/deployer/deployerRoleBinding.yaml @@ -0,0 +1,18 @@ +{{ if and .Values.deployer.serviceAccount.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ or .Values.deploymentName .Release.Name }}-deployer + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ or .Values.deploymentName .Release.Name }}-deployer +subjects: + - kind: ServiceAccount + name: {{ or .Values.deploymentName .Release.Name }}-deployer + namespace: {{ .Release.namespace }} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/deployer/deployerServiceAccount.yaml b/openshift/crunchydb/charts/tools/templates/deployer/deployerServiceAccount.yaml new file mode 100644 index 000000000..b2df66067 --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/deployer/deployerServiceAccount.yaml @@ -0,0 +1,11 @@ +{{ if and .Values.deployer.serviceAccount.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ or .Values.deploymentName .Release.Name }}-deployer + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} + namespace: {{ .Release.namespace }} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/linter/linterRole.yaml b/openshift/crunchydb/charts/tools/templates/linter/linterRole.yaml new file mode 100644 index 000000000..480e2c27d --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/linter/linterRole.yaml @@ -0,0 +1,497 @@ +{{- if and (.Values.linter.serviceAccount.enabled) (eq .Release.Namespace .Values.provisioner.namespace) }} + +apiVersion: authorization.openshift.io/v1 +kind: Role +metadata: + labels: {{ include "crunchy-postgres-tools.labels" . | nindent 4}} + annotations: + openshift.io/description: A user who can view but not edit any resources within + the project. They can not view secrets or membership. + openshift.io/reconcile-protect: "false" + name: {{ .Release.Name }}-linter +rules: +- apiGroups: + - "" + attributeRestrictions: null + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - projects + - pods + - replicationcontrollers + - replicationcontrollers/scale + - serviceaccounts + - services + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + - deployments + - deployments/scale + - replicasets + - replicasets/scale + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: + - autoscaling + attributeRestrictions: null + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: + - batch + attributeRestrictions: null + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + - deployments + - deployments/scale + - ingresses + - replicasets + - replicasets/scale + - replicationcontrollers/scale + verbs: + - get + - list + - watch +- apiGroups: + - policy + attributeRestrictions: null + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets/scale + verbs: + - get +- apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets/scale + verbs: + - list +- apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets/scale + verbs: + - watch +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - get +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - list +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - watch +- apiGroups: + - networking.k8s.io + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - get +- apiGroups: + - networking.k8s.io + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - list +- apiGroups: + - networking.k8s.io + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - pods + - replicationcontrollers + - serviceaccounts + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - bindings + - events + - limitranges + - namespaces + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch +- apiGroups: + - batch + attributeRestrictions: null + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - deployments + - deployments/scale + - replicasets + - replicasets/scale + verbs: + - get + - list + - watch +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - deployments + - deployments/scale + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: + - build.openshift.io + - "" + attributeRestrictions: null + resources: + - buildconfigs + - buildconfigs/webhooks + - builds + verbs: + - get + - list + - watch +- apiGroups: + - build.openshift.io + - "" + attributeRestrictions: null + resources: + - builds/log + verbs: + - get + - list + - watch +- apiGroups: + - build.openshift.io + attributeRestrictions: null + resources: + - jenkins + verbs: + - view +- apiGroups: + - apps.openshift.io + - "" + attributeRestrictions: null + resources: + - deploymentconfigs + - deploymentconfigs/scale + verbs: + - get + - list + - watch +- apiGroups: + - apps.openshift.io + - "" + attributeRestrictions: null + resources: + - deploymentconfigs/log + - deploymentconfigs/status + verbs: + - get + - list + - watch +- apiGroups: + - image.openshift.io + - "" + attributeRestrictions: null + resources: + - imagestreamimages + - imagestreammappings + - imagestreams + - imagestreamtags + verbs: + - get + - list + - watch +- apiGroups: + - image.openshift.io + - "" + attributeRestrictions: null + resources: + - imagestreams/status + verbs: + - get + - list + - watch +- apiGroups: + - project.openshift.io + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - get +- apiGroups: + - quota.openshift.io + - "" + attributeRestrictions: null + resources: + - appliedclusterresourcequotas + verbs: + - get + - list + - watch +- apiGroups: + - route.openshift.io + - "" + attributeRestrictions: null + resources: + - routes + verbs: + - get + - list + - watch +- apiGroups: + - route.openshift.io + - "" + attributeRestrictions: null + resources: + - routes/status + verbs: + - get + - list + - watch +- apiGroups: + - template.openshift.io + - "" + attributeRestrictions: null + resources: + - processedtemplates + - templateconfigs + - templateinstances + - templates + verbs: + - get + - list + - watch +- apiGroups: + - build.openshift.io + - "" + attributeRestrictions: null + resources: + - buildlogs + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - resourcequotausages + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - list +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets + verbs: + - get +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets + verbs: + - list +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets + verbs: + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets/scale + verbs: + - get +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets/scale + verbs: + - list +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets/scale + verbs: + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get +- apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + verbs: + - list +- apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + verbs: + - watch +- apiGroups: + - authorization.openshift.io + - rbac.authorization.k8s.io + attributeRestrictions: null + resources: + - rolebindings + - roles + verbs: + - get + - patch +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get +- apiGroups: + - postgres-operator.crunchydata.com + resources: + - postgresclusters + verbs: + - get + - list + +{{ end }} \ No newline at end of file diff --git a/openshift/crunchydb/charts/tools/templates/linter/linterRoleBinding.yaml b/openshift/crunchydb/charts/tools/templates/linter/linterRoleBinding.yaml new file mode 100644 index 000000000..ebb16624d --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/linter/linterRoleBinding.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.linter.serviceAccount.enabled (eq .Release.Namespace .Values.provisioner.namespace) }} + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-linter + labels: {{ include "crunchy-postgres-tools.labels" . | nindent 4}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-linter +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-linter + namespace: {{ .Values.linter.namespace }} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/linter/linterServiceAccount.yaml b/openshift/crunchydb/charts/tools/templates/linter/linterServiceAccount.yaml new file mode 100644 index 000000000..cc1d53ec5 --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/linter/linterServiceAccount.yaml @@ -0,0 +1,10 @@ +{{- if and .Values.linter.serviceAccount.enabled (eq .Release.Namespace .Values.provisioner.namespace)}} + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ .Release.Name }}-linter + labels: {{ include "crunchy-postgres-tools.labels" . | nindent 4}} + namespace: {{ .Values.linter.namespace }} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/networking/networkPolicy.yaml b/openshift/crunchydb/charts/tools/templates/networking/networkPolicy.yaml new file mode 100644 index 000000000..56b5d77c1 --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/networking/networkPolicy.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.networking.networkPolicy.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ or .Values.deploymentName .Release.Name }}-allow-route-ingress + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} +spec: + # This policy allows any pod with a route & service combination + # to accept traffic from the OpenShift router pods. This is + # required for things outside of OpenShift (like the Internet) + # to reach your pods. + ingress: + - from: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress + podSelector: {} + policyTypes: + - Ingress + +{{- end }} diff --git a/openshift/crunchydb/charts/tools/templates/networking/podNetworkPolicy.yaml b/openshift/crunchydb/charts/tools/templates/networking/podNetworkPolicy.yaml new file mode 100644 index 000000000..b706a96c0 --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/networking/podNetworkPolicy.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.networking.podNetworkPolicy.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ or .Values.deploymentName .Release.Name }}-allow-same-namespace + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} +spec: + # This policy allows pods to accept traffic from other pods in this namespace + ingress: + - from: + - podSelector: {} + podSelector: {} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/networking/route.yaml b/openshift/crunchydb/charts/tools/templates/networking/route.yaml new file mode 100644 index 000000000..55cc81f35 --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/networking/route.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.networking.route.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ template "crunchy-postgres-tools.fullname" . }} + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} +spec: + host: {{ .Values.networking.route.host }} + port: + targetPort: {{ template "crunchy-postgres-tools.fullname" . }} + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: {{ template "crunchy-postgres-tools.fullname" . }} + weight: 100 + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRole.yaml b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRole.yaml new file mode 100644 index 000000000..fa677b65f --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRole.yaml @@ -0,0 +1,237 @@ +{{ if .Values.provisioner.serviceAccount.enabled }} + +apiVersion: authorization.openshift.io/v1 +kind: Role +metadata: + labels: {{ include "crunchy-postgres-tools.labels" . | nindent 4}} + annotations: + openshift.io/description: A user who can deploy applications + openshift.io/reconcile-protect: "false" + name: {{ .Release.Name }}-provisioner +rules: + - apiGroups: + - image.openshift.io + resources: + - imagestreamimages + - imagestreammappings + - imagestreams + - imagestreamtags + verbs: + - get + - list + - watch + - update + - apiGroups: + - image.openshift.io + resources: + - imagestreamtags + verbs: + - delete + - apiGroups: + - project.openshift.io + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - replicationcontrollers + - persistentvolumeclaims + - services + - secrets + - configmaps + - endpoints + - pods + - pods/exec + verbs: + - watch + - list + - get + - create + - update + - patch + - delete + - deletecollection + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods/status + - pods/log + verbs: + - watch + - list + - get + - apiGroups: + - apps.openshift.io + attributeRestrictions: null + resources: + - deploymentconfigs + verbs: + - get + - create + - update + - patch + - apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets + verbs: + - get + - create + - delete + - update + - patch + - apiGroups: + - route.openshift.io + attributeRestrictions: null + resources: + - routes + verbs: + - list + - get + - create + - update + - patch + - delete + - apiGroups: + - template.openshift.io + attributeRestrictions: null + resources: + - processedtemplates + - templates + verbs: + - create + - patch + - apiGroups: + - route.openshift.io + attributeRestrictions: null + resources: + - routes + verbs: + - get + - create + - update + - patch + - apiGroups: + - route.openshift.io + - "" + attributeRestrictions: null + resources: + - routes/custom-host + verbs: + - create + - apiGroups: + - batch + attributeRestrictions: null + resources: + - jobs + - cronjobs + verbs: + - get + - create + - update + - patch + - delete + - watch + - list + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - "rbac.authorization.k8s.io" + - "authorization.openshift.io" + resources: + - roles + - rolebindings + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - extensions + - apps + resources: + - deployments + - replicasets + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - list + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - artifactory.devops.gov.bc.ca + resources: + - artifactoryserviceaccounts + verbs: + - get + - list + - apiGroups: + - postgres-operator.crunchydata.com + resources: + - postgresclusters + verbs: + - get + - list + - create + - update + - patch + - delete + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRoleBinding.yaml b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRoleBinding.yaml new file mode 100644 index 000000000..f89476fff --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRoleBinding.yaml @@ -0,0 +1,19 @@ +{{ if .Values.provisioner.serviceAccount.enabled }} + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-provisioner + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-provisioner +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-provisioner + namespace: {{ .Values.provisioner.namespace }} + + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/provisioner/provisionerServiceAccount.yaml b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerServiceAccount.yaml new file mode 100644 index 000000000..fe04e79cc --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerServiceAccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.provisioner.serviceAccount.enabled (eq .Release.Namespace .Values.provisioner.namespace) }} + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ .Release.Name }}-provisioner + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4 }} + namespace: {{ .Values.provisioner.namespace }} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/values.yaml b/openshift/crunchydb/charts/tools/values.yaml new file mode 100644 index 000000000..0cd0cf421 --- /dev/null +++ b/openshift/crunchydb/charts/tools/values.yaml @@ -0,0 +1,31 @@ +fullnameOverride: crunchy-postgres-tools +deploymentName: crunchy-postgres + +deployer: + serviceAccount: + enabled: true + +# Enable the provisioner service account which is used to deploy services to our other namespaces (dev/test/prod) +# The tools namespace needs to be passed in so we know which namespace to install the service account in and the rolebindings get proper permissions +provisioner: + namespace: #tools-namespace + serviceAccount: + enabled: true + +# Service account with fairly low permissions for the linter +linter: + serviceAccount: + enabled: true + +networking: + # Network policy to allow traffic from outside the namespace (like the internet) + networkPolicy: + enabled: true + # Pod network policy to allow pods to accept traffic from other pods in this namespace + podNetworkPolicy: + enabled: true + # Enable OpenShift route whitch allows you to host your application at a public URL + route: + enabled: false + host: # eg: crunchy-postgres-namespace.apps.silver.devops.gov.bc.ca + From f9c9e9f79b2d122527ccd17c8bff094e804016f8 Mon Sep 17 00:00:00 2001 From: Walter Moar Date: Fri, 13 Dec 2024 21:54:45 +0000 Subject: [PATCH 3/8] docs: updated the crunchydb readme --- openshift/crunchydb/README.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/openshift/crunchydb/README.md b/openshift/crunchydb/README.md index dc2575574..9de7fd5c2 100644 --- a/openshift/crunchydb/README.md +++ b/openshift/crunchydb/README.md @@ -1,13 +1,18 @@ -# Fider +# CrunchyDB -Fider uses CrunchyDB as its highly available database. CrunchyDB uses Patroni, -which uses PostgreSQL as the database. +CHEFS uses CrunchyDB for all of its highly available database. CrunchyDB uses +Patroni for replication and failovers, and Patroni uses PostgreSQL as the +underlying database. ## Installation This CrunchyDB installation use the [Helm chart](https://github.com/bcgov/crunchy-postgres) provided by the fine -folks over at platform services. The `charts` directory has been copied here -from commit `91d32cb` so that changes to the upstream repo don't unexpectedly -change our deployments. This stability and consistency comes at the cost of -added maintenance effort to stay in sync. +folks over at platform services. Huge thanks go to this team for doing the hard +work of figuring out the CrunchyDB setup and making it easy for the community. + +The `charts` directory has been copied here so that changes to the upstream repo +don't unexpectedly change our deployments. This stability and consistency comes +at the cost of added maintenance effort to stay in sync. + +This code is current to commit `91d32cb` in December 2024. From 272b892f720f18fc15909026ae1102f595c2cb75 Mon Sep 17 00:00:00 2001 From: Walter Moar Date: Fri, 13 Dec 2024 21:55:36 +0000 Subject: [PATCH 4/8] docs: fixed a wording issue --- openshift/crunchydb/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openshift/crunchydb/README.md b/openshift/crunchydb/README.md index 9de7fd5c2..beaa9774b 100644 --- a/openshift/crunchydb/README.md +++ b/openshift/crunchydb/README.md @@ -6,7 +6,7 @@ underlying database. ## Installation -This CrunchyDB installation use the +The CrunchyDB installations use the [Helm chart](https://github.com/bcgov/crunchy-postgres) provided by the fine folks over at platform services. Huge thanks go to this team for doing the hard work of figuring out the CrunchyDB setup and making it easy for the community. From 937724ac9f502906c7ba5ba0a0a7db9829e448a8 Mon Sep 17 00:00:00 2001 From: Walter Moar Date: Fri, 13 Dec 2024 21:57:15 +0000 Subject: [PATCH 5/8] docs: wording tweaks --- openshift/crunchydb/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/openshift/crunchydb/README.md b/openshift/crunchydb/README.md index beaa9774b..5faa52dc2 100644 --- a/openshift/crunchydb/README.md +++ b/openshift/crunchydb/README.md @@ -8,8 +8,9 @@ underlying database. The CrunchyDB installations use the [Helm chart](https://github.com/bcgov/crunchy-postgres) provided by the fine -folks over at platform services. Huge thanks go to this team for doing the hard -work of figuring out the CrunchyDB setup and making it easy for the community. +folks over at platform services. Huge thanks go to that team for doing the hard +work of figuring out the CrunchyDB setup and making it easier for the community +to use CrunchyDB. The `charts` directory has been copied here so that changes to the upstream repo don't unexpectedly change our deployments. This stability and consistency comes From a53d78b89fda19f9681eb28ccc403ceedf8f3d29 Mon Sep 17 00:00:00 2001 From: Walter Moar Date: Fri, 13 Dec 2024 22:00:10 +0000 Subject: [PATCH 6/8] refactor: renamed fider directory to crunchydb --- openshift/fider/README.md | 19 ------------------- .../fider/values-crunchy-postgres-fider.yaml | 2 -- openshift/fider/values-tools-fider.yaml | 18 ------------------ 3 files changed, 39 deletions(-) delete mode 100644 openshift/fider/README.md delete mode 100644 openshift/fider/values-crunchy-postgres-fider.yaml delete mode 100644 openshift/fider/values-tools-fider.yaml diff --git a/openshift/fider/README.md b/openshift/fider/README.md deleted file mode 100644 index 4ff188ee8..000000000 --- a/openshift/fider/README.md +++ /dev/null @@ -1,19 +0,0 @@ -# Fider - -Fider uses CrunchyDB as its highly available database. CrunchyDB uses Patroni, -which uses PostgreSQL as the database. - -## Installation - -CrunchyDB is installed using the -[Helm chart](https://github.com/bcgov/crunchy-postgres) provided by the fine -folks over at platform services. Clone this repo. - -> TBD: should we make a copy of it in our repo, so that a recreate uses the same -> charts? Probably. - -```sh -export HELM_CHART_DIR= -$ helm -n a12c97-tools upgrade --install crunchy-tools-fider $HELM_CHART_DIR/charts/tools -f values-tools-fider.yaml -$ helm -n a12c97-tools upgrade --install crunchy-postgres-fider $HELM_CHART_DIR/charts/crunchy-postgres -f values-crunchy-postgres-fider.yaml -``` diff --git a/openshift/fider/values-crunchy-postgres-fider.yaml b/openshift/fider/values-crunchy-postgres-fider.yaml deleted file mode 100644 index 059c87a72..000000000 --- a/openshift/fider/values-crunchy-postgres-fider.yaml +++ /dev/null @@ -1,2 +0,0 @@ -deploymentName: crunchy-postgres-fider -fullnameOverride: crunchy-postgres-tools-fider diff --git a/openshift/fider/values-tools-fider.yaml b/openshift/fider/values-tools-fider.yaml deleted file mode 100644 index c0659649a..000000000 --- a/openshift/fider/values-tools-fider.yaml +++ /dev/null @@ -1,18 +0,0 @@ -fullnameOverride: crunchy-postgres-fider - -postgresVersion: 16 - -instances: - replicas: 3 - dataVolumeClaimSpec: - storage: 512Mi - -pgBackRest: - repos: - schedules: - full: 0 12 * * * - incremental: 0 0,4,8,16,20 * * * - -proxy: - pgBouncer: - replicas: 3 From 9fc1015386fd95631b6cd3a1ef60ae4c7c4496e0 Mon Sep 17 00:00:00 2001 From: Walter Moar Date: Fri, 13 Dec 2024 22:28:03 +0000 Subject: [PATCH 7/8] docs: fixed a typo --- openshift/crunchydb/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openshift/crunchydb/README.md b/openshift/crunchydb/README.md index 5faa52dc2..edc11e37b 100644 --- a/openshift/crunchydb/README.md +++ b/openshift/crunchydb/README.md @@ -1,6 +1,6 @@ # CrunchyDB -CHEFS uses CrunchyDB for all of its highly available database. CrunchyDB uses +CHEFS uses CrunchyDB for all of its highly available databases. CrunchyDB uses Patroni for replication and failovers, and Patroni uses PostgreSQL as the underlying database. From 91bb144404c142e67931d40eef11ff04863f7d0c Mon Sep 17 00:00:00 2001 From: Walter Moar Date: Fri, 13 Dec 2024 22:34:18 +0000 Subject: [PATCH 8/8] docs: fixed a typo --- openshift/crunchydb/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openshift/crunchydb/README.md b/openshift/crunchydb/README.md index edc11e37b..1859551ca 100644 --- a/openshift/crunchydb/README.md +++ b/openshift/crunchydb/README.md @@ -7,7 +7,7 @@ underlying database. ## Installation The CrunchyDB installations use the -[Helm chart](https://github.com/bcgov/crunchy-postgres) provided by the fine +[Helm charts](https://github.com/bcgov/crunchy-postgres) provided by the fine folks over at platform services. Huge thanks go to that team for doing the hard work of figuring out the CrunchyDB setup and making it easier for the community to use CrunchyDB.