gitea-admin
/
prodwork01-mobene-keycloak
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

DEV-898: erster Schwung s3+pg+pg-exp - keycloak missing

Browse Source
main
friedrich goerz 3 years ago
parent fd43b676ab
commit 83779c0a15
24 changed files with 621 additions and 0 deletions
Show Stats Download Patch File Download Diff File

5
.gitignore vendored
Unescape Escape View File

@ -0,0 +1,5 @@
Chart.lock
charts/
.vscode/settings.json
.DS_Store
secrets*.yaml.dec

18
.sops.yaml
Unescape Escape View File

@ -0,0 +1,18 @@
# Fingerprint | User ID
# keys in https://git.dev-at.de/smardigo-hetzner/communication-keys
# D65D400040387210377B6A71DFD775644EAAC77B Friedrich Goerz <friedrich.goerz@netgo.de>
# E5B4FE1E0209DFFE320D2A2E47087747D89B72EC smardigo automation PRODNSO <NSO-Team-DevOps@netgo.de>
# BE3FB94982C2DE95B1EDD388A96613A6B1DB15B5 Sven Ketelsen <sven.ketelsen@netgo.de>
# 9F08DA9D42379AFE6610E9E615CCEC6801DBA02E Hoan To <hoan.to@netgo.de>
# 17B8FDF68AC123EB666934B17D0DF6EC048A5D77 Claus Paetow <claus.paetow@netgo.de>
# 73C2C9954D1BC94DC6682525D2FA233B52AEC75C Michael Haehnel <michael.haehnel@netgo.de>
creation_rules:
# list of keys for encryption in stage
- pgp: >-
E5B4FE1E0209DFFE320D2A2E47087747D89B72EC,
D65D400040387210377B6A71DFD775644EAAC77B,
BE3FB94982C2DE95B1EDD388A96613A6B1DB15B5,
9F08DA9D42379AFE6610E9E615CCEC6801DBA02E,
17B8FDF68AC123EB666934B17D0DF6EC048A5D77,
73C2C9954D1BC94DC6682525D2FA233B52AEC75C

32
Chart.yaml
Unescape Escape View File

@ -0,0 +1,32 @@
apiVersion: v2
name: mobene-keycloak
description: Installing separate keycloak instance for mobene
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.2
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.1.19"
dependencies:
- name: tenant
version: 4.5.4
repository: oci://prodnso-harbor-01.smardigo.digital/infrastructure
- name: prometheus-postgres-exporter
version: 4.2.1
repository: oci://prodnso-harbor-01.smardigo.digital/infrastructure

137
secrets.yaml
Unescape Escape View File

@ -0,0 +1,137 @@
minio_tenant_users:
- name: ENC[AES256_GCM,data:Gl4pHCmoAng=,iv:dnj/J1mdIU8TzTRl4ibw9xWR3Uqf4RVDvsyHe9oY4ig=,tag:aHLQVUzdV/e1gI0wvmEhKg==,type:str]
password: ENC[AES256_GCM,data:w3t4MBzd/qSaTk3HYsmNQYaoj8qRQTiP4RB1QmNOLKM=,iv:N1aKjeWymH4/jMBd5cmasXLBI48N/OO19v4ngNnO3G4=,tag:G8XOn9lGMhixLC/34Wl6rQ==,type:str]
postgres_bkp:
bkp_user: ENC[AES256_GCM,data:UUPYn8QDu9w=,iv:yIiPnniKq/8u6hStgOgOHni24LDvWAkGjx5y3VS7pPU=,tag:I1H0jHhRAlLjTBGVisP7Bg==,type:str]
bkp_pass: ENC[AES256_GCM,data:jD4akr1jsdIdWzQ+PRiaMvHwgQsoJKYqgrVZiaUO6hE=,iv:PEJCmopoVsEbkmyE4trqGxVFgA/OnwoiljGQxYqmaRc=,tag:9A0A1yTeFLRM5kcjTSBs0A==,type:str]
bkp_url: ENC[AES256_GCM,data:I+r1ftNRbiv2/N1dGois3CQ0NG1N2B+MZKRtGv67Bg3eRJEpLy6+GIvveKHCIFBpqH9CldWXzXm4pCASCA==,iv:XIiLxdl/kDxWWRERnLRrgD1J4LXJmBOngKSsqQH0CgI=,tag:R7P+EkhGKS9aUcoAesGLXQ==,type:str]
tenant:
secrets:
name: ENC[AES256_GCM,data:qR9a5idBMJgkNi6c,iv:QgM0n25QAYkUQiyhWFNc5PfcnUZMOqWHey5NcThpZK8=,tag:HbvbbQWIj+PIErM3k5vl/Q==,type:str]
accessKey: ENC[AES256_GCM,data:XtehJFc=,iv:du0nWTio2L+KkXMpvuii6WEp1VawdKzQ/DC2vJ51G4Q=,tag:EmHY949y7+lsmG5XppVPqA==,type:str]
secretKey: ENC[AES256_GCM,data:f5XpuVs5NmFZxgs9jGnMRrjRQpUmvlA7x5uN9x48X1w=,iv:BoQW+9PdJA3OVMhBLeBVM2ldB4G4iRSzTgNcJWYWobQ=,tag:iv6iRw5yU9u9vwNqpRXnoQ==,type:str]
prometheusPgExporter:
dbCredentials:
pgHostname: ENC[AES256_GCM,data:Xgl4RtvBuYzmWl+tV8ToJA==,iv:tbS5JBttZIqvB51UpWuyI3JYqSfrqFamgsCVQ2KMiRI=,tag:KgrBmMRch+IcSEeA5vSNuQ==,type:str]
pgUsername: ENC[AES256_GCM,data:V/8m4/VKT2XTT8ySXpQv/yI=,iv:Ydus78HYDIOi9/9huFTL9GNp9oIRWOLgi/PAtCD8gvU=,tag:hFADQ/wqfLbZNjxNYs/fiA==,type:str]
pgPassword: ENC[AES256_GCM,data:RPGwtcStH9qcQSaFGncuFwoHMA1A29lnhIuovC3ZB3s=,iv:Ne/3uW3Wy4tuG4IJaqwvz45dmxA5Gw+laicqeLJzLzo=,tag:3epeENbw3HJd69VN2xgVvA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-03-02T16:15:25Z"
mac: ENC[AES256_GCM,data:WQB3HtUCm7xq4ODhO1vdKXDv8ZIWneJ5ZAa6WZAUsbN3W+r7Iin39eqj9guvSaoUBM5n+QNeQbNV5PoUkujd/jyaUyqKf0x02Ilb8wLJwZAl4EsgloZGBE3J4Sx7m/L8qhy4YYYLKP83KuaI6wWLiKi9usR2bDuCBnt4/N926vI=,iv:83lD9MaBoS20xHzUrtrLgf3PQTwTX924BYu8IKimu+M=,tag:8h53wTt6Ej/qXdIhZWLtjQ==,type:str]
pgp:
- created_at: "2023-03-02T14:39:34Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA911WKxzIy2nARAAi1EPy2qd8q0jV7ViQGKSHKoHigaYEg0kJHUgqPQko8te
L60/7iotHqAjXlPySK58hQjnfBqKmGR0gvb+IX0JTBlYbHDva4J1qswsEmWHiuhp
HQRVIrbTNCDKSUz1MPXpl+FjvqDoyEv+61ZBPL/7LeEmaixHJPr8MS6mKh9lwok4
UTwj8MwnTBT+Pgf5bg3o9oWcbPkmiWv12sFZM+glbV5xKDEGsUHnuWO9zeVstkmQ
+/YxqJncvDsgyzlygqBC9RmyjvcUcpHbvIBUE3vR/s54DusWAJowcoR6j3BkzjuR
Vr3azA5C/WBtgCfUJtM2O5YtAxgYqYk37nlQUjTxaKxfb1DiW5CzDR4QldUX2PIE
7RF718AO8Mj8s+5nm4KooNhkIepzc/e3Z0U9nvC5LTEc5NeAWg8tz0kTmxeT7xCN
zSSKyBzDsTnSqHZvxLDWX4tnI3POTsJXqebtCSVVeAbJqZpsxdPAjsT+CxYtPBAb
ep1pGWW8N47Col8lwZ7KtOpsYdh77wfm9pOcYYzd99t8AaCe712gZikRAj7NZpTo
5KbagQuRKN/THs9HDWCegyhxuUxoDVHAOgIkhdMFjULXBEqGats6hJ9/3VI0JgmA
uu5MDrhbtQkRhDFA5pdsOSv26dqARgZUrTbUJhh+RLIZQNHqlMiicH55CVniZXvS
XgHVDOXloDZZzfliepTOLcokudX6fglrJ0zioPsuqb1i13lbPJAPFqwwpJTjDxLa
UQ0CpoEVnhWUzPTzNFei2BRUNhwwWuXuRLrmgh5Y2QAqwEFubktVRuUTdL5j5kU=
=pxXV
-----END PGP MESSAGE-----
fp: E5B4FE1E0209DFFE320D2A2E47087747D89B72EC
- created_at: "2023-03-02T14:39:34Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4Npij8bx0m7AQ//b4WdVJCwIXSO4EJ3PGAE6V5B0+YuohtDju+vUH8JHZaC
prVVrYNmsqplowTQ2f83yXtt953td0v6YznyLTdSEQ5JYrWqFqRgS5Ad5BVjq/ww
hfe1OgYDfifL+B/zWXGQHRQsXhr1/bsnlDhFKWGRCN5Ywq8dSdMjaxjWjjAKPJ1/
koZaVoED19MaFEfGgGvtRT54Bj6EZEiaZdZcoh0t13RhLi/9CzSLdrUCnjbQyDq8
HXge8XgeGeWLI7ZDhCKjtQO9TXcAwO93lZhsyv7rX3PwP/Pu+aMYhrmQCZE1f5Ud
9OPAtelA+ScizcQN4/oeqIrlc0p/J6gl9CPdTOX0yR04b0LLdfUHJhI4Qmnuwppx
P1jKHt16OIw2yIsZXr69JSQG3nv7V3h29aMvCOuACzdNaIz9xJxy0ZSRJm7/Zj6+
NwdTmE4Kq4oUD70to549LvSKiyrsWtz+Y0cfBlg1486lWaRR7XQc/q+DXjTlJBev
Zd0u0iac69iujzSOv+afoiesLBOpDaIu2dc9RBfvYh3iyO/ieL5SdEbLcGzq0ZLY
yHmdsB7BmdsEbVUZVQ5aN/Po+BOXF9+pTcAXbws4ZfdWNWVaA7F+19SltPkXR+Fc
OMXWlP5kEJnb11NukgmIDkStW6t+xKoLksf/8kU4WUqB16D2P0MLfOCMHRdhrQ3S
XgG0yLmcrdgyoH1KN0fJix9MZYamuUFtRJ5uEncdIrNBbNG4P91bInrd8G5jvxF8
3eCR2AKDmZMS2tHXNx0C0gJXunIZdHRMd53MpzDRapHWwmdv5j61KtjHwUvnwP0=
=pS3b
-----END PGP MESSAGE-----
fp: D65D400040387210377B6A71DFD775644EAAC77B
- created_at: "2023-03-02T14:39:34Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA+5f33GLJ89bARAAjHJC5CmZnJLmsi22tUGQe/lrUFwhsvRy1AJrkDpNdro0
BuVcfYKnUW52utr0W3WJITtGM2S8YXvUD03mIOfncoORfFSUiej9+gV7+oU30Ozn
JjkWgk8zGf1IEeOJRNHocnKrAN/03FR31sGH3yoR1lvmEPb9cuuvKJfgd0YJ17Bt
6CfnXAw/gP1rKmcr9MYeUEYQaX9XAqRRD+Ib9uvwq5+DQImS4qwiGGx1GfxnBrvX
EPpcEJJ8OT1y8QNwbhWjIgnBdxa1t7ttOeE1keV7oHdEsxxZaqFw/0nN+rAlWsNw
UtuDLmEjyGyi/0zNnYctPGlnahusc3Q+tv9Cqd9qQJ17kmQmsaABC33vvu+r92d6
TaEzpSvX+peAW0IkPa37+ElXF93SjM4qBjStBmIMx5GvJ5559LyKOBOzuDZQjpo4
YkP2YWdu63zrTUOdvOPc/TjFE0fF1UkwOzj7p5uEBpmArclNCpgk+xs9AVZi6HW4
ZFuVEKjzyhNXqUq5FIz9AadwhSEeTQGtRcaiQNtZxbczcIYBg3h5/L7zTrhAguUK
6qr/EqPVmHkbIEwupUiutw4+qu6ymQ2Z45zHjMsgIe7G9S9ldDPFDwgXDsUrnbVY
QSSySsN2LOGxlzUlYtBm15Vpb/KtvnuZvZeIrdc+Ibwui+xVGG/As8iq5gxheEHS
XgH+BE2QNWsG60pTpXVNOFAlMpk2bRzM+WeDn2pvPN4W0Dvpwbb9cvOV1VCOdEOZ
KLJvhE59qe+xKygZouq1DuSfspsnmjU7GCfjW0V7SPczkwtIN/S1xc9QnBocIa4=
=zkAa
-----END PGP MESSAGE-----
fp: BE3FB94982C2DE95B1EDD388A96613A6B1DB15B5
- created_at: "2023-03-02T14:39:34Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQGMA+cOSmNXMUmKAQwAia4k0z14Nl8AIII9QaYBxr5cMh2wqWQfZEsoNglIqPKR
ZOrbj35E3QjkkUWpSZbz9uBGtcFWgvCA4i+f/T8tU3CiiM8OsM1bsoUdrO/Zo+Ud
+MX1o7pfHIyVNWNQiHEztETn91cZDkX/sg9w6twrhr5pvPM1o09T4hX0jYUzLMvp
VhRdYrMsrasXIAlc1714LWSE+v6gLk0ahAEvkaNdph8NN6OYsKaoazbXKslNExVS
PpWkou7ZRuHgu9MeB4BAWhuDsD4AFjTkZOaw1QB+zz498aLygZZrV7rysHOswqiX
gfF7AMasrRrZ6lXg9USX0PNtIUwByT3fkXFjYP+FZncVV/IIf59rQvhs+BYjuPul
QEI0Xz/RBzAbkIANuoMHiIx7IdIxPdLhQ189z7A3RPCGGLXcoJ7S+oagYkO/2cx7
rRXdDXFmj6fH9sF8Er/CB9+G9jnGfwdMQfHUJi7e6qL2cIyzBFI4VZhcJfHtHGVh
XJM+lmDQafFGRfakhd1c0l4BNWlqIC6mUfC2/SfWRiSiwkD+8zCgEvlc7ePi32hz
BGzcJrvYrGDvL6sKpjGbrx5QhNUw1dU11X17FjGaPYcUB95wktlAf4Q8s9dJ3/Im
Pxnf8YK9HzSbYDTyiRfo
=m82d
-----END PGP MESSAGE-----
fp: 9F08DA9D42379AFE6610E9E615CCEC6801DBA02E
- created_at: "2023-03-02T14:39:34Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA1kDHheI9SLWARAAtdjUj+Q7gRxts7GsCOOnicZpAyhNNiLQxiF5n787/QN1
dSRRNt9d0jwpgDpd/xONbb/6sYB3cd8Ihnu0uKX712nndAMC+AtuVXvhQpjXqVhK
URUkQ0H0DuITSWQj8T2FRVRFiVyFueTcGZsnn5mF4QoCjLzvh3wuT4xmuaouZfMa
h+4WrxIm+a2z+XsNXLwwYxpdyVhDgjPtn3PGu76rtzEPn2m+KVIVBoL+OivrtjOw
8NIlu+0zTe+ntvczbJ/79Vcy/9+RlWPkWUXy7p7wVMkmHDkHvLG/TZT10ufVdp8Q
6a4xjXUlwoTZHRPkj87hxJVAPv/Bfb2xerdRNmp3n0kVhaKScVwxpRLiAGWm92J1
QHWiHL5He78oKIiRIcVgzWF1RaxfVOIexceBor2q21wnaVXBK0jpHJ9cKm4gR6Dy
4hN9gEV0wHxP7HEThHuWGT9lhwFWALlr6jxSa6sIeQF904CdWLXXujq7adHCxCkB
V3P9U1++xbLC4IA62KMZd8tJQduBNjrnGEnV13rP4AHTpI1RDJwEuLTTqWVCFglM
PCqvbbf+O//A3cw6N6n9yORjhIvVRhVps8QP23OiR/AvQLBQPeROkqIzSXUkZPbD
XBq2yFIFzA+RV7frI5pfWTVsyL4p9hoTxUKhf6rBgtfR9OHURxlt+z+j+K8EC7jS
XgEb16RGAs6hKfljWLLZtVaGAxNVHzMQ4ekbWaIyrYhajQkhqDyAqy1uL2/1SSuh
X03hjsMAj+l2fuKFQ9kFiCwbMLQ3HIFlJ7508/ua3UYn7lUa2JLVuQFnUVeBvF4=
=YF9F
-----END PGP MESSAGE-----
fp: 17B8FDF68AC123EB666934B17D0DF6EC048A5D77
- created_at: "2023-03-02T14:39:34Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4DZmNQj/lmIGsSAQdA6hKfQx60zb2ND6oLVNfI6z6uWd87+pFXxzeBO6mnc1gw
dogeAFlQIsE8+WwwVf9uywldm5kReujAsXXOBzThLujSV5TLZNaTsoCn/HH+Zrla
0l4Bigdv4XXGklbkUIFmuEQZ0tEXrzv9xnmKhKNpnZES62D+E9g1MIPY5ADplwK5
ujZZEp/Th4k49kp+S1D49zbma5j3CPb1k6fN6gTQMQFGaZwONhRlpEdF0p700b8h
=I6Zm
-----END PGP MESSAGE-----
fp: 73C2C9954D1BC94DC6682525D2FA233B52AEC75C
unencrypted_suffix: _unencrypted
version: 3.7.1

BIN
templates/.servicemonitor_s3_minio.yaml.swp
View File

Binary file not shown.

23
templates/minio/netpol_egress-miniopods2miniooperator.yaml
Unescape Escape View File

@ -0,0 +1,23 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-miniopods2miniooperator
spec:
podSelector:
matchLabels:
v1.min.io/tenant: {{ .Values.tenant.tenant.name }}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: minio-operator
podSelector:
matchLabels:
app.kubernetes.io/instance: minio-operator
ports:
- protocol: TCP
port: 4222

21
templates/minio/netpol_egress-miniopods2prometheus.yaml
Unescape Escape View File

@ -0,0 +1,21 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-miniopods2prometheus # to display metric stuff within s3-console
spec:
egress:
- ports:
- port: 9090
protocol: TCP
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
podSelector:
matchLabels:
prometheus: kube-prometheus-stack-prometheus
podSelector:
matchLabels:
v1.min.io/tenant: {{ .Values.tenant.tenant.name }}
policyTypes:
- Egress

16
templates/minio/netpol_ingress-miniooperator2miniopods.yaml
Unescape Escape View File

@ -0,0 +1,16 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-miniooperator2miniopods
# allow traffic from minio-operator NS to current NS across all ports
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: minio-operator
podSelector:
matchLabels:
v1.min.io/tenant: {{ .Values.tenant.tenant.name }}
policyTypes:
- Ingress

16
templates/minio/netpol_ingress-nginx2miniopods.yaml
Unescape Escape View File

@ -0,0 +1,16 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-nginx2miniopods
# allow traffic from minio-operator NS to current NS across all ports
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ingress
podSelector:
matchLabels:
v1.min.io/tenant: {{ .Values.tenant.tenant.name }}
policyTypes:
- Ingress

11
templates/minio/secret_minio_user1.yaml
Unescape Escape View File

@ -0,0 +1,11 @@
{{- range $users := .Values.minio_tenant_users }}
apiVersion: v1
stringData:
CONSOLE_ACCESS_KEY: {{ $users.name }}
CONSOLE_SECRET_KEY: {{ $users.password }}
kind: Secret
metadata:
name: {{ $users.name }}
type: Opaque
---
{{- end }}

13
templates/netpol_egress-all2all-nsinternal.yaml
Unescape Escape View File

@ -0,0 +1,13 @@
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: egress-all2all-nsinternal
spec:
podSelector: {}
egress:
- to:
- podSelector: {}
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ .Release.Namespace }}

15
templates/netpol_egress-all2lb-ip.yaml
Unescape Escape View File

@ -0,0 +1,15 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-all2lb-ip
spec:
egress:
- ports:
- port: 443
protocol: TCP
to:
- ipBlock:
cidr: 167.235.109.35/32
podSelector: {}
policyTypes:
- Egress

19
templates/netpol_egress-all2prometheuspushgw.yaml
Unescape Escape View File

@ -0,0 +1,19 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-all2prometheuspushgw
spec:
podSelector: {}
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
podSelector:
matchLabels:
app.kubernetes.io/instance: prometheus-pushgateway
ports:
- protocol: TCP
port: 9091
policyTypes:
- Egress

13
templates/netpol_ingress-all2all-nsinternal.yaml
Unescape Escape View File

@ -0,0 +1,13 @@
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: ingress-all2all-nsinternal
spec:
podSelector: {}
ingress:
- from:
- podSelector: {}
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ .Release.Namespace }}

9
templates/pg-exporter/secret_postgres_exporter_database_connection.yaml
Unescape Escape View File

@ -0,0 +1,9 @@
{{- if ((.Values.prometheusPgExporter).dbCredentials) }}
apiVersion: v1
kind: Secret
metadata:
name: postgres-exporter-database-connection
type: Opaque
stringData:
datasource: "postgresql://{{ .Values.prometheusPgExporter.dbCredentials.pgUsername }}:{{ .Values.prometheusPgExporter.dbCredentials.pgPassword }}@{{ .Values.prometheusPgExporter.dbCredentials.pgHostname }}:5432/postgres?sslmode=require"
{{- end }}

21
templates/postgres/cm_postgres_bkp.yaml
Unescape Escape View File

@ -0,0 +1,21 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: pg-cluster-config
data:
AWS_ACCESS_KEY_ID: {{ .Values.postgres_bkp.bkp_user }}
AWS_SECRET_ACCESS_KEY: {{ .Values.postgres_bkp.bkp_pass }}
AWS_ENDPOINT: {{ .Values.postgres_bkp.bkp_url }}
AWS_REGION: ""
AWS_S3_FORCE_PATH_STYLE: "true" # needed for MinIO
BACKUP_NUM_TO_RETAIN: "7"
BACKUP_SCHEDULE: "00 2 * * *"
CLONE_USE_WALG_RESTORE: "true"
USE_WALG_BACKUP: "true"
USE_WALG_RESTORE: "true"
WALG_DISABLE_S3_SSE: "true"
WAL_S3_BUCKET: postgres
WAL_BUCKET_SCOPE_PREFIX: ""
WAL_BUCKET_SCOPE_SUFFIX: ""
CRONTAB: "['* * * * * /nso_scripts/backup-monitoring.sh']"

18
templates/postgres/configmap_backup_monitoring.yaml
Unescape Escape View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: backup-monitoring-script
data:
backup-monitoring.sh: |
#!/bin/bash
#
#
echo "`date` INFO script was executed" >> /tmp/monitoring_cron_status.log
LAST_BKP=$(envdir "/run/etc/wal-e.d/env" wal-g backup-list --detail --json | jq -r .[-1].finish_time)
LAST_BKP_DATE_IN_UNIXSEC=$(date -d ${LAST_BKP} +"%s")
STAGE={{ .Release.Name }}
echo "pg_basebackup_successful_timestamp_${STAGE} ${LAST_BKP_DATE_IN_UNIXSEC}" | curl --data-binary @- "{{ .Values.postgres.monitoring.prometheusPushgatewayURL }}"

25
templates/postgres/netpol_egress-pginstances2k8s.yaml
Unescape Escape View File

@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-pginstances2k8s
# netpol needed due to https://issues.arxes-tolina.de/browse/DEV-745
# allow connection against k8s-api server
spec:
egress:
- ports:
- port: 443
protocol: TCP
- port: 6443
protocol: TCP
to:
- ipBlock:
cidr: 10.3.0.2/32
- ipBlock:
cidr: 10.3.0.5/32
- ipBlock:
cidr: 10.3.0.6/32
podSelector:
matchLabels:
cluster-name: postgres-cluster
policyTypes:
- Egress

20
templates/postgres/netpol_egress-pginstances2zalpgoperatoriam.yaml
Unescape Escape View File

@ -0,0 +1,20 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: pginstances2zalpgoperator
spec:
podSelector:
matchLabels:
cluster-name: {{ .Values.postgres.name }}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ .Values.postgres.pg_operator.namespace }}
ports:
- protocol: TCP
port: 8080

18
templates/postgres/netpol_egress-postgres2loadbalancer.yaml
Unescape Escape View File

@ -0,0 +1,18 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-postgres2loadbalancer
spec:
podSelector:
matchLabels:
cluster-name: postgres-cluster
egress:
- ports:
- protocol: TCP
port: 443
to:
- ipBlock:
cidr: 167.235.109.35/32
policyTypes:
- Egress

24
templates/postgres/netpol_ingress-zalpgoperator2pginstances.yaml
Unescape Escape View File

@ -0,0 +1,24 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-zalpgoperator2pginstances
spec:
podSelector:
matchLabels:
cluster-name: {{ .Values.postgres.name }}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ .Values.postgres.pg_operator.namespace }}
ports:
- protocol: TCP
port: 5432
- protocol: TCP
port: 8008
- protocol: TCP
port: 8080

8
templates/postgres/pg_cluster.yaml
Unescape Escape View File

@ -0,0 +1,8 @@
apiVersion: "acid.zalan.do/v1"
kind: postgresql
metadata:
name: {{ .Values.postgres.name | default "pgcluster" }}
{{- with .Values.postgres.spec }}
spec:
{{- toYaml . | nindent 2 }}
{{- end }}

20
templates/postgres/prometheusrule_monitoring_basebackup.yaml
Unescape Escape View File

@ -0,0 +1,20 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
labels:
prometheus: kube-prometheus-stack-prometheus
role: alert-rules
release: {{ .Values.global.prometheus.release_label }}
name: postgres-basebackup
spec:
groups:
- name: "postgres_basebackup.rules"
rules:
- alert: postgres basebackup too old
for: 5m
labels:
team: {{ .Values.postgres.monitoring.alerts.postgres.basebackup.teamLabel | quote }}
severity: critical
expr: absent(pg_basebackup_successful_timestamp_{{ .Release.Name }}) or (time() - pg_basebackup_successful_timestamp_{{ .Release.Name }} > {{ .Values.postgres.monitoring.alerts.postgres.basebackup.timeThreshold }})
annotations:
message: last postgres backup found older than {{ .Values.postgres.monitoring.alerts.postgres.basebackup.timeThreshold }}

119
values.yaml
Unescape Escape View File

@ -0,0 +1,119 @@
global:
prometheus:
release_label: kube-prometheus-stack
tenant:
tenant:
name: s3-mobene-keycloak-prodwork01
configuration:
name: minio-config
pools:
- servers: 4
volumesPerServer: 2
storageClassName: hcloud-volumes
size: 10Gi
buckets:
- name: postgres
region: ""
users:
- name: pgbackup
prometheus:
diskCapacityGB: false
log:
audit:
diskCapacityGB: false
env:
- name: MINIO_PROMETHEUS_AUTH_TYPE
value: "public"
- name: MINIO_PROMETHEUS_JOB_ID
value: "mobene-keycloak"
- name: MINIO_PROMETHEUS_URL
value: "http://kube-prometheus-stack-prometheus.monitoring:9090"
- name: CONSOLE_PROMETHEUS_URL
value: "http://kube-prometheus-stack-prometheus.monitoring:9090"
ingress:
api:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
cert-manager.io/issue-temporary-certificate: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 32m
nginx.ingress.kubernetes.io/whitelist-source-range: >-
212.121.131.106/32,149.233.6.129/32,46.245.219.98/32,164.138.195.162/32,195.201.31.227/32,167.235.150.201/32,167.235.150.198/32,167.235.150.195/32,167.235.150.133/32,167.235.150.197/32,23.88.53.161/32,195.201.113.110/32,5.75.184.216/32,195.201.127.50/32,164.92.251.253/32
host: s3storage-mobene-keycloak-prodwork01.smardigo.digital
tls:
- secretName: s3-miniotest-cert
hosts:
- s3storage-mobene-keycloak-prodwork01.smardigo.digital
console:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
cert-manager.io/issue-temporary-certificate: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
host: s3console-mobene-keycloak-prodwork01.smardigo.digital
tls:
- secretName: s3-console-cert
hosts:
- s3console-mobene-keycloak-prodwork01.smardigo.digital
postgres:
pg_operator:
namespace: zalando-postgres-operator
monitoring:
prometheusPushgatewayURL: "http://prometheus-pushgateway.monitoring:9091/metrics/job/pg_basebackup"
alerts:
postgres:
basebackup:
timeThreshold: 86400
teamLabel: '' # empty but no defined alertmanager receiver => catchall devops-team
name: postgres-cluster
spec:
teamId: "postgres"
volume:
size: 10Gi
numberOfInstances: 3
users:
keycloak_admin:
- superuser
- createdb
databases:
keycloak: keycloak_admin
preparedDatabases:
keycloak: {}
postgresql:
version: "14"
parameters:
max_connections: "100"
resources:
limits:
memory: 2Gi
requests:
cpu: "0.5"
additionalVolumes:
-
name: backup-monitoring-script
mountPath: /nso_scripts/
volumeSource:
configMap:
name: backup-monitoring-script
defaultMode: 0777
targetContainers:
- postgres
prometheus-postgres-exporter:
serviceMonitor:
enabled: true
labels:
release: kube-prometheus-stack
rbac:
pspEnabled: false
config:
datasourceSecret:
name: postgres-exporter-database-connection
key: datasource
Write Preview
Loading…
Cancel
Save