diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..62635fc --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +Chart.lock +charts/ +.vscode/settings.json +.DS_Store +secrets*.yaml.dec diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..87470c9 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,18 @@ +# Fingerprint | User ID +# keys in https://git.dev-at.de/smardigo-hetzner/communication-keys +# D65D400040387210377B6A71DFD775644EAAC77B Friedrich Goerz +# E5B4FE1E0209DFFE320D2A2E47087747D89B72EC smardigo automation PRODNSO +# BE3FB94982C2DE95B1EDD388A96613A6B1DB15B5 Sven Ketelsen +# 9F08DA9D42379AFE6610E9E615CCEC6801DBA02E Hoan To +# 17B8FDF68AC123EB666934B17D0DF6EC048A5D77 Claus Paetow +# 73C2C9954D1BC94DC6682525D2FA233B52AEC75C Michael Haehnel + +creation_rules: + # list of keys for encryption in stage + - pgp: >- + E5B4FE1E0209DFFE320D2A2E47087747D89B72EC, + D65D400040387210377B6A71DFD775644EAAC77B, + BE3FB94982C2DE95B1EDD388A96613A6B1DB15B5, + 9F08DA9D42379AFE6610E9E615CCEC6801DBA02E, + 17B8FDF68AC123EB666934B17D0DF6EC048A5D77, + 73C2C9954D1BC94DC6682525D2FA233B52AEC75C diff --git a/Chart.yaml b/Chart.yaml new file mode 100644 index 0000000..d509981 --- /dev/null +++ b/Chart.yaml @@ -0,0 +1,32 @@ +apiVersion: v2 +name: mobene-keycloak +description: Installing separate keycloak instance for mobene + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.2 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.1.19" + +dependencies: + - name: tenant + version: 4.5.4 + repository: oci://prodnso-harbor-01.smardigo.digital/infrastructure + - name: prometheus-postgres-exporter + version: 4.2.1 + repository: oci://prodnso-harbor-01.smardigo.digital/infrastructure diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..7a53916 --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,137 @@ +minio_tenant_users: + - name: ENC[AES256_GCM,data:Gl4pHCmoAng=,iv:dnj/J1mdIU8TzTRl4ibw9xWR3Uqf4RVDvsyHe9oY4ig=,tag:aHLQVUzdV/e1gI0wvmEhKg==,type:str] + password: ENC[AES256_GCM,data:w3t4MBzd/qSaTk3HYsmNQYaoj8qRQTiP4RB1QmNOLKM=,iv:N1aKjeWymH4/jMBd5cmasXLBI48N/OO19v4ngNnO3G4=,tag:G8XOn9lGMhixLC/34Wl6rQ==,type:str] +postgres_bkp: + bkp_user: ENC[AES256_GCM,data:UUPYn8QDu9w=,iv:yIiPnniKq/8u6hStgOgOHni24LDvWAkGjx5y3VS7pPU=,tag:I1H0jHhRAlLjTBGVisP7Bg==,type:str] + bkp_pass: ENC[AES256_GCM,data:jD4akr1jsdIdWzQ+PRiaMvHwgQsoJKYqgrVZiaUO6hE=,iv:PEJCmopoVsEbkmyE4trqGxVFgA/OnwoiljGQxYqmaRc=,tag:9A0A1yTeFLRM5kcjTSBs0A==,type:str] + bkp_url: ENC[AES256_GCM,data:I+r1ftNRbiv2/N1dGois3CQ0NG1N2B+MZKRtGv67Bg3eRJEpLy6+GIvveKHCIFBpqH9CldWXzXm4pCASCA==,iv:XIiLxdl/kDxWWRERnLRrgD1J4LXJmBOngKSsqQH0CgI=,tag:R7P+EkhGKS9aUcoAesGLXQ==,type:str] +tenant: + secrets: + name: ENC[AES256_GCM,data:qR9a5idBMJgkNi6c,iv:QgM0n25QAYkUQiyhWFNc5PfcnUZMOqWHey5NcThpZK8=,tag:HbvbbQWIj+PIErM3k5vl/Q==,type:str] + accessKey: ENC[AES256_GCM,data:XtehJFc=,iv:du0nWTio2L+KkXMpvuii6WEp1VawdKzQ/DC2vJ51G4Q=,tag:EmHY949y7+lsmG5XppVPqA==,type:str] + secretKey: ENC[AES256_GCM,data:f5XpuVs5NmFZxgs9jGnMRrjRQpUmvlA7x5uN9x48X1w=,iv:BoQW+9PdJA3OVMhBLeBVM2ldB4G4iRSzTgNcJWYWobQ=,tag:iv6iRw5yU9u9vwNqpRXnoQ==,type:str] +prometheusPgExporter: + dbCredentials: + pgHostname: ENC[AES256_GCM,data:Xgl4RtvBuYzmWl+tV8ToJA==,iv:tbS5JBttZIqvB51UpWuyI3JYqSfrqFamgsCVQ2KMiRI=,tag:KgrBmMRch+IcSEeA5vSNuQ==,type:str] + pgUsername: ENC[AES256_GCM,data:V/8m4/VKT2XTT8ySXpQv/yI=,iv:Ydus78HYDIOi9/9huFTL9GNp9oIRWOLgi/PAtCD8gvU=,tag:hFADQ/wqfLbZNjxNYs/fiA==,type:str] + pgPassword: ENC[AES256_GCM,data:RPGwtcStH9qcQSaFGncuFwoHMA1A29lnhIuovC3ZB3s=,iv:Ne/3uW3Wy4tuG4IJaqwvz45dmxA5Gw+laicqeLJzLzo=,tag:3epeENbw3HJd69VN2xgVvA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-03-02T16:15:25Z" + mac: ENC[AES256_GCM,data:WQB3HtUCm7xq4ODhO1vdKXDv8ZIWneJ5ZAa6WZAUsbN3W+r7Iin39eqj9guvSaoUBM5n+QNeQbNV5PoUkujd/jyaUyqKf0x02Ilb8wLJwZAl4EsgloZGBE3J4Sx7m/L8qhy4YYYLKP83KuaI6wWLiKi9usR2bDuCBnt4/N926vI=,iv:83lD9MaBoS20xHzUrtrLgf3PQTwTX924BYu8IKimu+M=,tag:8h53wTt6Ej/qXdIhZWLtjQ==,type:str] + pgp: + - created_at: "2023-03-02T14:39:34Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA911WKxzIy2nARAAi1EPy2qd8q0jV7ViQGKSHKoHigaYEg0kJHUgqPQko8te + L60/7iotHqAjXlPySK58hQjnfBqKmGR0gvb+IX0JTBlYbHDva4J1qswsEmWHiuhp + HQRVIrbTNCDKSUz1MPXpl+FjvqDoyEv+61ZBPL/7LeEmaixHJPr8MS6mKh9lwok4 + UTwj8MwnTBT+Pgf5bg3o9oWcbPkmiWv12sFZM+glbV5xKDEGsUHnuWO9zeVstkmQ + +/YxqJncvDsgyzlygqBC9RmyjvcUcpHbvIBUE3vR/s54DusWAJowcoR6j3BkzjuR + Vr3azA5C/WBtgCfUJtM2O5YtAxgYqYk37nlQUjTxaKxfb1DiW5CzDR4QldUX2PIE + 7RF718AO8Mj8s+5nm4KooNhkIepzc/e3Z0U9nvC5LTEc5NeAWg8tz0kTmxeT7xCN + zSSKyBzDsTnSqHZvxLDWX4tnI3POTsJXqebtCSVVeAbJqZpsxdPAjsT+CxYtPBAb + ep1pGWW8N47Col8lwZ7KtOpsYdh77wfm9pOcYYzd99t8AaCe712gZikRAj7NZpTo + 5KbagQuRKN/THs9HDWCegyhxuUxoDVHAOgIkhdMFjULXBEqGats6hJ9/3VI0JgmA + uu5MDrhbtQkRhDFA5pdsOSv26dqARgZUrTbUJhh+RLIZQNHqlMiicH55CVniZXvS + XgHVDOXloDZZzfliepTOLcokudX6fglrJ0zioPsuqb1i13lbPJAPFqwwpJTjDxLa + UQ0CpoEVnhWUzPTzNFei2BRUNhwwWuXuRLrmgh5Y2QAqwEFubktVRuUTdL5j5kU= + =pxXV + -----END PGP MESSAGE----- + fp: E5B4FE1E0209DFFE320D2A2E47087747D89B72EC + - created_at: "2023-03-02T14:39:34Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4Npij8bx0m7AQ//b4WdVJCwIXSO4EJ3PGAE6V5B0+YuohtDju+vUH8JHZaC + prVVrYNmsqplowTQ2f83yXtt953td0v6YznyLTdSEQ5JYrWqFqRgS5Ad5BVjq/ww + hfe1OgYDfifL+B/zWXGQHRQsXhr1/bsnlDhFKWGRCN5Ywq8dSdMjaxjWjjAKPJ1/ + koZaVoED19MaFEfGgGvtRT54Bj6EZEiaZdZcoh0t13RhLi/9CzSLdrUCnjbQyDq8 + HXge8XgeGeWLI7ZDhCKjtQO9TXcAwO93lZhsyv7rX3PwP/Pu+aMYhrmQCZE1f5Ud + 9OPAtelA+ScizcQN4/oeqIrlc0p/J6gl9CPdTOX0yR04b0LLdfUHJhI4Qmnuwppx + P1jKHt16OIw2yIsZXr69JSQG3nv7V3h29aMvCOuACzdNaIz9xJxy0ZSRJm7/Zj6+ + NwdTmE4Kq4oUD70to549LvSKiyrsWtz+Y0cfBlg1486lWaRR7XQc/q+DXjTlJBev + Zd0u0iac69iujzSOv+afoiesLBOpDaIu2dc9RBfvYh3iyO/ieL5SdEbLcGzq0ZLY + yHmdsB7BmdsEbVUZVQ5aN/Po+BOXF9+pTcAXbws4ZfdWNWVaA7F+19SltPkXR+Fc + OMXWlP5kEJnb11NukgmIDkStW6t+xKoLksf/8kU4WUqB16D2P0MLfOCMHRdhrQ3S + XgG0yLmcrdgyoH1KN0fJix9MZYamuUFtRJ5uEncdIrNBbNG4P91bInrd8G5jvxF8 + 3eCR2AKDmZMS2tHXNx0C0gJXunIZdHRMd53MpzDRapHWwmdv5j61KtjHwUvnwP0= + =pS3b + -----END PGP MESSAGE----- + fp: D65D400040387210377B6A71DFD775644EAAC77B + - created_at: "2023-03-02T14:39:34Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA+5f33GLJ89bARAAjHJC5CmZnJLmsi22tUGQe/lrUFwhsvRy1AJrkDpNdro0 + BuVcfYKnUW52utr0W3WJITtGM2S8YXvUD03mIOfncoORfFSUiej9+gV7+oU30Ozn + JjkWgk8zGf1IEeOJRNHocnKrAN/03FR31sGH3yoR1lvmEPb9cuuvKJfgd0YJ17Bt + 6CfnXAw/gP1rKmcr9MYeUEYQaX9XAqRRD+Ib9uvwq5+DQImS4qwiGGx1GfxnBrvX + EPpcEJJ8OT1y8QNwbhWjIgnBdxa1t7ttOeE1keV7oHdEsxxZaqFw/0nN+rAlWsNw + UtuDLmEjyGyi/0zNnYctPGlnahusc3Q+tv9Cqd9qQJ17kmQmsaABC33vvu+r92d6 + TaEzpSvX+peAW0IkPa37+ElXF93SjM4qBjStBmIMx5GvJ5559LyKOBOzuDZQjpo4 + YkP2YWdu63zrTUOdvOPc/TjFE0fF1UkwOzj7p5uEBpmArclNCpgk+xs9AVZi6HW4 + ZFuVEKjzyhNXqUq5FIz9AadwhSEeTQGtRcaiQNtZxbczcIYBg3h5/L7zTrhAguUK + 6qr/EqPVmHkbIEwupUiutw4+qu6ymQ2Z45zHjMsgIe7G9S9ldDPFDwgXDsUrnbVY + QSSySsN2LOGxlzUlYtBm15Vpb/KtvnuZvZeIrdc+Ibwui+xVGG/As8iq5gxheEHS + XgH+BE2QNWsG60pTpXVNOFAlMpk2bRzM+WeDn2pvPN4W0Dvpwbb9cvOV1VCOdEOZ + KLJvhE59qe+xKygZouq1DuSfspsnmjU7GCfjW0V7SPczkwtIN/S1xc9QnBocIa4= + =zkAa + -----END PGP MESSAGE----- + fp: BE3FB94982C2DE95B1EDD388A96613A6B1DB15B5 + - created_at: "2023-03-02T14:39:34Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQGMA+cOSmNXMUmKAQwAia4k0z14Nl8AIII9QaYBxr5cMh2wqWQfZEsoNglIqPKR + ZOrbj35E3QjkkUWpSZbz9uBGtcFWgvCA4i+f/T8tU3CiiM8OsM1bsoUdrO/Zo+Ud + +MX1o7pfHIyVNWNQiHEztETn91cZDkX/sg9w6twrhr5pvPM1o09T4hX0jYUzLMvp + VhRdYrMsrasXIAlc1714LWSE+v6gLk0ahAEvkaNdph8NN6OYsKaoazbXKslNExVS + PpWkou7ZRuHgu9MeB4BAWhuDsD4AFjTkZOaw1QB+zz498aLygZZrV7rysHOswqiX + gfF7AMasrRrZ6lXg9USX0PNtIUwByT3fkXFjYP+FZncVV/IIf59rQvhs+BYjuPul + QEI0Xz/RBzAbkIANuoMHiIx7IdIxPdLhQ189z7A3RPCGGLXcoJ7S+oagYkO/2cx7 + rRXdDXFmj6fH9sF8Er/CB9+G9jnGfwdMQfHUJi7e6qL2cIyzBFI4VZhcJfHtHGVh + XJM+lmDQafFGRfakhd1c0l4BNWlqIC6mUfC2/SfWRiSiwkD+8zCgEvlc7ePi32hz + BGzcJrvYrGDvL6sKpjGbrx5QhNUw1dU11X17FjGaPYcUB95wktlAf4Q8s9dJ3/Im + Pxnf8YK9HzSbYDTyiRfo + =m82d + -----END PGP MESSAGE----- + fp: 9F08DA9D42379AFE6610E9E615CCEC6801DBA02E + - created_at: "2023-03-02T14:39:34Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA1kDHheI9SLWARAAtdjUj+Q7gRxts7GsCOOnicZpAyhNNiLQxiF5n787/QN1 + dSRRNt9d0jwpgDpd/xONbb/6sYB3cd8Ihnu0uKX712nndAMC+AtuVXvhQpjXqVhK + URUkQ0H0DuITSWQj8T2FRVRFiVyFueTcGZsnn5mF4QoCjLzvh3wuT4xmuaouZfMa + h+4WrxIm+a2z+XsNXLwwYxpdyVhDgjPtn3PGu76rtzEPn2m+KVIVBoL+OivrtjOw + 8NIlu+0zTe+ntvczbJ/79Vcy/9+RlWPkWUXy7p7wVMkmHDkHvLG/TZT10ufVdp8Q + 6a4xjXUlwoTZHRPkj87hxJVAPv/Bfb2xerdRNmp3n0kVhaKScVwxpRLiAGWm92J1 + QHWiHL5He78oKIiRIcVgzWF1RaxfVOIexceBor2q21wnaVXBK0jpHJ9cKm4gR6Dy + 4hN9gEV0wHxP7HEThHuWGT9lhwFWALlr6jxSa6sIeQF904CdWLXXujq7adHCxCkB + V3P9U1++xbLC4IA62KMZd8tJQduBNjrnGEnV13rP4AHTpI1RDJwEuLTTqWVCFglM + PCqvbbf+O//A3cw6N6n9yORjhIvVRhVps8QP23OiR/AvQLBQPeROkqIzSXUkZPbD + XBq2yFIFzA+RV7frI5pfWTVsyL4p9hoTxUKhf6rBgtfR9OHURxlt+z+j+K8EC7jS + XgEb16RGAs6hKfljWLLZtVaGAxNVHzMQ4ekbWaIyrYhajQkhqDyAqy1uL2/1SSuh + X03hjsMAj+l2fuKFQ9kFiCwbMLQ3HIFlJ7508/ua3UYn7lUa2JLVuQFnUVeBvF4= + =YF9F + -----END PGP MESSAGE----- + fp: 17B8FDF68AC123EB666934B17D0DF6EC048A5D77 + - created_at: "2023-03-02T14:39:34Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DZmNQj/lmIGsSAQdA6hKfQx60zb2ND6oLVNfI6z6uWd87+pFXxzeBO6mnc1gw + dogeAFlQIsE8+WwwVf9uywldm5kReujAsXXOBzThLujSV5TLZNaTsoCn/HH+Zrla + 0l4Bigdv4XXGklbkUIFmuEQZ0tEXrzv9xnmKhKNpnZES62D+E9g1MIPY5ADplwK5 + ujZZEp/Th4k49kp+S1D49zbma5j3CPb1k6fN6gTQMQFGaZwONhRlpEdF0p700b8h + =I6Zm + -----END PGP MESSAGE----- + fp: 73C2C9954D1BC94DC6682525D2FA233B52AEC75C + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/templates/.servicemonitor_s3_minio.yaml.swp b/templates/.servicemonitor_s3_minio.yaml.swp new file mode 100644 index 0000000..5ce1006 Binary files /dev/null and b/templates/.servicemonitor_s3_minio.yaml.swp differ diff --git a/templates/minio/netpol_egress-miniopods2miniooperator.yaml b/templates/minio/netpol_egress-miniopods2miniooperator.yaml new file mode 100644 index 0000000..655af91 --- /dev/null +++ b/templates/minio/netpol_egress-miniopods2miniooperator.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: egress-miniopods2miniooperator +spec: + podSelector: + matchLabels: + v1.min.io/tenant: {{ .Values.tenant.tenant.name }} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: minio-operator + podSelector: + matchLabels: + app.kubernetes.io/instance: minio-operator + + ports: + - protocol: TCP + port: 4222 diff --git a/templates/minio/netpol_egress-miniopods2prometheus.yaml b/templates/minio/netpol_egress-miniopods2prometheus.yaml new file mode 100644 index 0000000..48afdd2 --- /dev/null +++ b/templates/minio/netpol_egress-miniopods2prometheus.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: egress-miniopods2prometheus # to display metric stuff within s3-console +spec: + egress: + - ports: + - port: 9090 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + prometheus: kube-prometheus-stack-prometheus + podSelector: + matchLabels: + v1.min.io/tenant: {{ .Values.tenant.tenant.name }} + policyTypes: + - Egress diff --git a/templates/minio/netpol_ingress-miniooperator2miniopods.yaml b/templates/minio/netpol_ingress-miniooperator2miniopods.yaml new file mode 100644 index 0000000..56f45ec --- /dev/null +++ b/templates/minio/netpol_ingress-miniooperator2miniopods.yaml @@ -0,0 +1,16 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-miniooperator2miniopods +# allow traffic from minio-operator NS to current NS across all ports +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: minio-operator + podSelector: + matchLabels: + v1.min.io/tenant: {{ .Values.tenant.tenant.name }} + policyTypes: + - Ingress diff --git a/templates/minio/netpol_ingress-nginx2miniopods.yaml b/templates/minio/netpol_ingress-nginx2miniopods.yaml new file mode 100644 index 0000000..320b5e2 --- /dev/null +++ b/templates/minio/netpol_ingress-nginx2miniopods.yaml @@ -0,0 +1,16 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-nginx2miniopods +# allow traffic from minio-operator NS to current NS across all ports +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress + podSelector: + matchLabels: + v1.min.io/tenant: {{ .Values.tenant.tenant.name }} + policyTypes: + - Ingress diff --git a/templates/minio/secret_minio_user1.yaml b/templates/minio/secret_minio_user1.yaml new file mode 100644 index 0000000..e28c96e --- /dev/null +++ b/templates/minio/secret_minio_user1.yaml @@ -0,0 +1,11 @@ +{{- range $users := .Values.minio_tenant_users }} +apiVersion: v1 +stringData: + CONSOLE_ACCESS_KEY: {{ $users.name }} + CONSOLE_SECRET_KEY: {{ $users.password }} +kind: Secret +metadata: + name: {{ $users.name }} +type: Opaque +--- +{{- end }} diff --git a/templates/netpol_egress-all2all-nsinternal.yaml b/templates/netpol_egress-all2all-nsinternal.yaml new file mode 100644 index 0000000..111fe14 --- /dev/null +++ b/templates/netpol_egress-all2all-nsinternal.yaml @@ -0,0 +1,13 @@ +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: egress-all2all-nsinternal +spec: + podSelector: {} + egress: + - to: + - podSelector: {} + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} diff --git a/templates/netpol_egress-all2lb-ip.yaml b/templates/netpol_egress-all2lb-ip.yaml new file mode 100644 index 0000000..90fbb86 --- /dev/null +++ b/templates/netpol_egress-all2lb-ip.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: egress-all2lb-ip +spec: + egress: + - ports: + - port: 443 + protocol: TCP + to: + - ipBlock: + cidr: 167.235.109.35/32 + podSelector: {} + policyTypes: + - Egress diff --git a/templates/netpol_egress-all2prometheuspushgw.yaml b/templates/netpol_egress-all2prometheuspushgw.yaml new file mode 100644 index 0000000..bac05cf --- /dev/null +++ b/templates/netpol_egress-all2prometheuspushgw.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: egress-all2prometheuspushgw +spec: + podSelector: {} + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/instance: prometheus-pushgateway + ports: + - protocol: TCP + port: 9091 + policyTypes: + - Egress diff --git a/templates/netpol_ingress-all2all-nsinternal.yaml b/templates/netpol_ingress-all2all-nsinternal.yaml new file mode 100644 index 0000000..19114e0 --- /dev/null +++ b/templates/netpol_ingress-all2all-nsinternal.yaml @@ -0,0 +1,13 @@ +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: ingress-all2all-nsinternal +spec: + podSelector: {} + ingress: + - from: + - podSelector: {} + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} diff --git a/templates/pg-exporter/secret_postgres_exporter_database_connection.yaml b/templates/pg-exporter/secret_postgres_exporter_database_connection.yaml new file mode 100644 index 0000000..215df35 --- /dev/null +++ b/templates/pg-exporter/secret_postgres_exporter_database_connection.yaml @@ -0,0 +1,9 @@ +{{- if ((.Values.prometheusPgExporter).dbCredentials) }} +apiVersion: v1 +kind: Secret +metadata: + name: postgres-exporter-database-connection +type: Opaque +stringData: + datasource: "postgresql://{{ .Values.prometheusPgExporter.dbCredentials.pgUsername }}:{{ .Values.prometheusPgExporter.dbCredentials.pgPassword }}@{{ .Values.prometheusPgExporter.dbCredentials.pgHostname }}:5432/postgres?sslmode=require" +{{- end }} diff --git a/templates/postgres/cm_postgres_bkp.yaml b/templates/postgres/cm_postgres_bkp.yaml new file mode 100644 index 0000000..d59b35d --- /dev/null +++ b/templates/postgres/cm_postgres_bkp.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: pg-cluster-config +data: + AWS_ACCESS_KEY_ID: {{ .Values.postgres_bkp.bkp_user }} + AWS_SECRET_ACCESS_KEY: {{ .Values.postgres_bkp.bkp_pass }} + AWS_ENDPOINT: {{ .Values.postgres_bkp.bkp_url }} + AWS_REGION: "" + AWS_S3_FORCE_PATH_STYLE: "true" # needed for MinIO + BACKUP_NUM_TO_RETAIN: "7" + BACKUP_SCHEDULE: "00 2 * * *" + CLONE_USE_WALG_RESTORE: "true" + USE_WALG_BACKUP: "true" + USE_WALG_RESTORE: "true" + WALG_DISABLE_S3_SSE: "true" + WAL_S3_BUCKET: postgres + WAL_BUCKET_SCOPE_PREFIX: "" + WAL_BUCKET_SCOPE_SUFFIX: "" + CRONTAB: "['* * * * * /nso_scripts/backup-monitoring.sh']" diff --git a/templates/postgres/configmap_backup_monitoring.yaml b/templates/postgres/configmap_backup_monitoring.yaml new file mode 100644 index 0000000..6a3780e --- /dev/null +++ b/templates/postgres/configmap_backup_monitoring.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: backup-monitoring-script +data: + backup-monitoring.sh: | + #!/bin/bash + # + # + + echo "`date` INFO script was executed" >> /tmp/monitoring_cron_status.log + + LAST_BKP=$(envdir "/run/etc/wal-e.d/env" wal-g backup-list --detail --json | jq -r .[-1].finish_time) + + LAST_BKP_DATE_IN_UNIXSEC=$(date -d ${LAST_BKP} +"%s") + + STAGE={{ .Release.Name }} + echo "pg_basebackup_successful_timestamp_${STAGE} ${LAST_BKP_DATE_IN_UNIXSEC}" | curl --data-binary @- "{{ .Values.postgres.monitoring.prometheusPushgatewayURL }}" diff --git a/templates/postgres/netpol_egress-pginstances2k8s.yaml b/templates/postgres/netpol_egress-pginstances2k8s.yaml new file mode 100644 index 0000000..9899e3e --- /dev/null +++ b/templates/postgres/netpol_egress-pginstances2k8s.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: egress-pginstances2k8s +# netpol needed due to https://issues.arxes-tolina.de/browse/DEV-745 +# allow connection against k8s-api server +spec: + egress: + - ports: + - port: 443 + protocol: TCP + - port: 6443 + protocol: TCP + to: + - ipBlock: + cidr: 10.3.0.2/32 + - ipBlock: + cidr: 10.3.0.5/32 + - ipBlock: + cidr: 10.3.0.6/32 + podSelector: + matchLabels: + cluster-name: postgres-cluster + policyTypes: + - Egress diff --git a/templates/postgres/netpol_egress-pginstances2zalpgoperatoriam.yaml b/templates/postgres/netpol_egress-pginstances2zalpgoperatoriam.yaml new file mode 100644 index 0000000..9185e24 --- /dev/null +++ b/templates/postgres/netpol_egress-pginstances2zalpgoperatoriam.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: pginstances2zalpgoperator +spec: + podSelector: + matchLabels: + cluster-name: {{ .Values.postgres.name }} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Values.postgres.pg_operator.namespace }} + ports: + - protocol: TCP + port: 8080 + diff --git a/templates/postgres/netpol_egress-postgres2loadbalancer.yaml b/templates/postgres/netpol_egress-postgres2loadbalancer.yaml new file mode 100644 index 0000000..fdaf1e9 --- /dev/null +++ b/templates/postgres/netpol_egress-postgres2loadbalancer.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: egress-postgres2loadbalancer +spec: + podSelector: + matchLabels: + cluster-name: postgres-cluster + egress: + - ports: + - protocol: TCP + port: 443 + to: + - ipBlock: + cidr: 167.235.109.35/32 + policyTypes: + - Egress diff --git a/templates/postgres/netpol_ingress-zalpgoperator2pginstances.yaml b/templates/postgres/netpol_ingress-zalpgoperator2pginstances.yaml new file mode 100644 index 0000000..8f81b52 --- /dev/null +++ b/templates/postgres/netpol_ingress-zalpgoperator2pginstances.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-zalpgoperator2pginstances +spec: + podSelector: + matchLabels: + cluster-name: {{ .Values.postgres.name }} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Values.postgres.pg_operator.namespace }} + ports: + - protocol: TCP + port: 5432 + - protocol: TCP + port: 8008 + - protocol: TCP + port: 8080 + diff --git a/templates/postgres/pg_cluster.yaml b/templates/postgres/pg_cluster.yaml new file mode 100644 index 0000000..67f5f3d --- /dev/null +++ b/templates/postgres/pg_cluster.yaml @@ -0,0 +1,8 @@ +apiVersion: "acid.zalan.do/v1" +kind: postgresql +metadata: + name: {{ .Values.postgres.name | default "pgcluster" }} +{{- with .Values.postgres.spec }} +spec: + {{- toYaml . | nindent 2 }} +{{- end }} diff --git a/templates/postgres/prometheusrule_monitoring_basebackup.yaml b/templates/postgres/prometheusrule_monitoring_basebackup.yaml new file mode 100644 index 0000000..6435bff --- /dev/null +++ b/templates/postgres/prometheusrule_monitoring_basebackup.yaml @@ -0,0 +1,20 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + labels: + prometheus: kube-prometheus-stack-prometheus + role: alert-rules + release: {{ .Values.global.prometheus.release_label }} + name: postgres-basebackup +spec: + groups: + - name: "postgres_basebackup.rules" + rules: + - alert: postgres basebackup too old + for: 5m + labels: + team: {{ .Values.postgres.monitoring.alerts.postgres.basebackup.teamLabel | quote }} + severity: critical + expr: absent(pg_basebackup_successful_timestamp_{{ .Release.Name }}) or (time() - pg_basebackup_successful_timestamp_{{ .Release.Name }} > {{ .Values.postgres.monitoring.alerts.postgres.basebackup.timeThreshold }}) + annotations: + message: last postgres backup found older than {{ .Values.postgres.monitoring.alerts.postgres.basebackup.timeThreshold }} diff --git a/values.yaml b/values.yaml new file mode 100644 index 0000000..b29dbf0 --- /dev/null +++ b/values.yaml @@ -0,0 +1,119 @@ +global: + prometheus: + release_label: kube-prometheus-stack + +tenant: + tenant: + name: s3-mobene-keycloak-prodwork01 + configuration: + name: minio-config + pools: + - servers: 4 + volumesPerServer: 2 + storageClassName: hcloud-volumes + size: 10Gi + buckets: + - name: postgres + region: "" + users: + - name: pgbackup + prometheus: + diskCapacityGB: false + log: + audit: + diskCapacityGB: false + env: + - name: MINIO_PROMETHEUS_AUTH_TYPE + value: "public" + - name: MINIO_PROMETHEUS_JOB_ID + value: "mobene-keycloak" + - name: MINIO_PROMETHEUS_URL + value: "http://kube-prometheus-stack-prometheus.monitoring:9090" + - name: CONSOLE_PROMETHEUS_URL + value: "http://kube-prometheus-stack-prometheus.monitoring:9090" + ingress: + api: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + cert-manager.io/issue-temporary-certificate: "true" + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: 32m + nginx.ingress.kubernetes.io/whitelist-source-range: >- + 212.121.131.106/32,149.233.6.129/32,46.245.219.98/32,164.138.195.162/32,195.201.31.227/32,167.235.150.201/32,167.235.150.198/32,167.235.150.195/32,167.235.150.133/32,167.235.150.197/32,23.88.53.161/32,195.201.113.110/32,5.75.184.216/32,195.201.127.50/32,164.92.251.253/32 + host: s3storage-mobene-keycloak-prodwork01.smardigo.digital + tls: + - secretName: s3-miniotest-cert + hosts: + - s3storage-mobene-keycloak-prodwork01.smardigo.digital + console: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + cert-manager.io/issue-temporary-certificate: "true" + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + host: s3console-mobene-keycloak-prodwork01.smardigo.digital + tls: + - secretName: s3-console-cert + hosts: + - s3console-mobene-keycloak-prodwork01.smardigo.digital + +postgres: + pg_operator: + namespace: zalando-postgres-operator + monitoring: + prometheusPushgatewayURL: "http://prometheus-pushgateway.monitoring:9091/metrics/job/pg_basebackup" + alerts: + postgres: + basebackup: + timeThreshold: 86400 + teamLabel: '' # empty but no defined alertmanager receiver => catchall devops-team + name: postgres-cluster + spec: + teamId: "postgres" + volume: + size: 10Gi + numberOfInstances: 3 + users: + keycloak_admin: + - superuser + - createdb + databases: + keycloak: keycloak_admin + preparedDatabases: + keycloak: {} + postgresql: + version: "14" + parameters: + max_connections: "100" + resources: + limits: + memory: 2Gi + requests: + cpu: "0.5" + additionalVolumes: + - + name: backup-monitoring-script + mountPath: /nso_scripts/ + volumeSource: + configMap: + name: backup-monitoring-script + defaultMode: 0777 + targetContainers: + - postgres + +prometheus-postgres-exporter: + serviceMonitor: + enabled: true + labels: + release: kube-prometheus-stack + rbac: + pspEnabled: false + config: + datasourceSecret: + name: postgres-exporter-database-connection + key: datasource