diff options
Diffstat (limited to 'kubernetes/common')
-rw-r--r-- | kubernetes/common/postgres-init/.helmignore | 21 | ||||
-rw-r--r-- | kubernetes/common/postgres-init/Chart.yaml | 18 | ||||
-rw-r--r-- | kubernetes/common/postgres-init/requirements.yaml | 21 | ||||
-rw-r--r-- | kubernetes/common/postgres-init/resources/config/setup.sql | 19 | ||||
-rw-r--r-- | kubernetes/common/postgres-init/templates/configmap.yaml | 29 | ||||
-rw-r--r-- | kubernetes/common/postgres-init/templates/job.yaml | 121 | ||||
-rw-r--r-- | kubernetes/common/postgres-init/templates/secrets.yaml | 16 | ||||
-rw-r--r-- | kubernetes/common/postgres-init/values.yaml | 91 | ||||
-rw-r--r-- | kubernetes/common/postgres/templates/_deployment.tpl | 5 | ||||
-rw-r--r-- | kubernetes/common/timescaledb/templates/statefulset.yaml | 13 | ||||
-rw-r--r-- | kubernetes/common/timescaledb/values.yaml | 45 |
11 files changed, 376 insertions, 23 deletions
diff --git a/kubernetes/common/postgres-init/.helmignore b/kubernetes/common/postgres-init/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/kubernetes/common/postgres-init/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/kubernetes/common/postgres-init/Chart.yaml b/kubernetes/common/postgres-init/Chart.yaml new file mode 100644 index 0000000000..7de0d9acb6 --- /dev/null +++ b/kubernetes/common/postgres-init/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: Chart for Postgres init job +name: postgres-init +version: 8.0.0 diff --git a/kubernetes/common/postgres-init/requirements.yaml b/kubernetes/common/postgres-init/requirements.yaml new file mode 100644 index 0000000000..1a4ab2f2cf --- /dev/null +++ b/kubernetes/common/postgres-init/requirements.yaml @@ -0,0 +1,21 @@ +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~8.x-0 + repository: 'file://../common' + - name: repositoryGenerator + version: ~8.x-0 + repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/postgres-init/resources/config/setup.sql b/kubernetes/common/postgres-init/resources/config/setup.sql new file mode 100644 index 0000000000..06e07245be --- /dev/null +++ b/kubernetes/common/postgres-init/resources/config/setup.sql @@ -0,0 +1,19 @@ +--- User Setup +CREATE USER "${PG_USER}" LOGIN; +ALTER USER "${PG_USER}" PASSWORD '${PG_PASSWORD}'; + +CREATE DATABASE ${PG_DATABASE}; +GRANT ALL PRIVILEGES ON DATABASE ${PG_DATABASE} TO "${PG_USER}"; + +--- PG_DATABASE Setup + +\c ${PG_DATABASE} + +CREATE EXTENSION IF NOT EXISTS pg_stat_statements; +CREATE EXTENSION IF NOT EXISTS pgaudit; + +--- Create schema for PG_USER + +\c ${PG_DATABASE} + +CREATE SCHEMA IF NOT EXISTS "${PG_USER}" AUTHORIZATION "${PG_USER}"; diff --git a/kubernetes/common/postgres-init/templates/configmap.yaml b/kubernetes/common/postgres-init/templates/configmap.yaml new file mode 100644 index 0000000000..66c28a0c69 --- /dev/null +++ b/kubernetes/common/postgres-init/templates/configmap.yaml @@ -0,0 +1,29 @@ +{{/* +# Copyright © 2021 Orange +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/common/postgres-init/templates/job.yaml b/kubernetes/common/postgres-init/templates/job.yaml new file mode 100644 index 0000000000..01151bb4a9 --- /dev/null +++ b/kubernetes/common/postgres-init/templates/job.yaml @@ -0,0 +1,121 @@ +{{/* +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.fullname" . }}-config-job + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + backoffLimit: 20 + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + name: {{ include "common.name" . }} + spec: + initContainers: + - name: {{ include "common.name" . }}-readiness + command: + - /app/ready.py + args: + - --container-name + - {{ .Values.global.postgres.container.name }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + containers: + - command: + - sh + args: + - -c + - | + function prepare_password { + echo -n $1 | sed -e "s/'/''/g" + } + export PG_PASSWORD=`prepare_password $PG_PASSWORD_INPUT`; + export PG_ROOT_PASSWORD=`prepare_password $PG_ROOT_PASSWORD_INPUT`; + cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done; + psql "postgresql://postgres:$PG_ROOT_PASSWORD@$PG_HOST" < /config/setup.sql + env: + - name: PG_HOST + value: "{{ .Values.global.postgres.service.name2 }}" + - name: PG_PRIMARY_USER + value: primaryuser + - name: MODE + value: postgres + - name: PG_PRIMARY_PASSWORD_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.postgres.secret.primaryPasswordUID" .) "key" "password") | indent 10 }} + - name: PG_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.postgres.secret.userCredentialsUID" .) "key" "login") | indent 10 }} + - name: PG_PASSWORD_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.postgres.secret.userCredentialsUID" .) "key" "password") | indent 10 }} + - name: PG_DATABASE + value: "{{ .Values.config.pgDatabase }}" + - name: PG_ROOT_PASSWORD_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.postgres.secret.rootPassUID" .) "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input/setup.sql + name: config + subPath: setup.sql + - mountPath: /config + name: pgconf + image: {{ include "repositoryGenerator.image.postgres" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + volumeMounts: + - mountPath: /etc/localtime + name: localtime + readOnly: true + - mountPath: /config-input/setup.sql + name: config + subPath: setup.sql + - mountPath: /config + name: pgconf + resources: +{{ include "common.resources" . | indent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + volumes: + - name: localtime + hostPath: + path: /etc/localtime + - name: config + configMap: + name: {{ include "common.fullname" . }} + - name: pgconf + emptyDir: + medium: Memory + restartPolicy: Never + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/common/postgres-init/templates/secrets.yaml b/kubernetes/common/postgres-init/templates/secrets.yaml new file mode 100644 index 0000000000..f3bea1ff6d --- /dev/null +++ b/kubernetes/common/postgres-init/templates/secrets.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2021 Orange +# # +# # Licensed under the Apache License, Version 2.0 (the "License"); +# # you may not use this file except in compliance with the License. +# # You may obtain a copy of the License at +# # +# # http://www.apache.org/licenses/LICENSE-2.0 +# # +# # Unless required by applicable law or agreed to in writing, software +# # distributed under the License is distributed on an "AS IS" BASIS, +# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# # See the License for the specific language governing permissions and +# # limitations under the License. +*/}} +{{ include "common.secretFast" . }} diff --git a/kubernetes/common/postgres-init/values.yaml b/kubernetes/common/postgres-init/values.yaml new file mode 100644 index 0000000000..7bcd8e23b4 --- /dev/null +++ b/kubernetes/common/postgres-init/values.yaml @@ -0,0 +1,91 @@ +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + postgres: + service: + name: pgset + container: + name: postgres + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: '{{ include "common.postgres.secret.rootPassUID" . }}' + type: password + externalSecret: '{{ tpl (default "" .Values.config.pgRootPasswordExternalSecret) . }}' + password: '{{ .Values.config.pgRootPassword }}' + - uid: '{{ include "common.postgres.secret.userCredentialsUID" . }}' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.pgUserExternalSecret) . }}' + login: '{{ .Values.config.pgUserName }}' + password: '{{ .Values.config.pgUserPassword }}' + - uid: '{{ include "common.postgres.secret.primaryPasswordUID" . }}' + type: password + externalSecret: '{{ tpl (default "" .Values.config.pgPrimaryPasswordExternalSecret) . }}' + password: '{{ .Values.config.pgPrimaryPassword }}' + +################################################################# +# Application configuration defaults. +################################################################# + +pullPolicy: Always + +# application configuration +config: + pgUserName: testuser + pgDatabase: userdb + pgDataPath: data + pgRootPasswordExternalSecret: '{{ include "common.namespace" . }}-postgres-db-root-password' + # pgPrimaryPassword: password + # pgUserPassword: password + # pgRootPassword: password + +nodeSelector: {} + +affinity: {} + +flavor: small + +#resources: {} +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# +# Example: +# Configure resource requests and limits +# ref: http://kubernetes.io/docs/user-guide/compute-resources/ +# Minimum memory for development is 2 CPU cores and 4GB memory +# Minimum memory for production is 4 CPU cores and 8GB memory +resources: + small: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 10m + memory: 90Mi + large: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + unlimited: {} diff --git a/kubernetes/common/postgres/templates/_deployment.tpl b/kubernetes/common/postgres/templates/_deployment.tpl index d93d401ebc..341b4c86c7 100644 --- a/kubernetes/common/postgres/templates/_deployment.tpl +++ b/kubernetes/common/postgres/templates/_deployment.tpl @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, AT&T, Bell Canada # Copyright © 2020 Samsung Electronics +# Copyright © 2021 Orange # Modifications Copyright (C) 2021 Bell Canada. # # # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -126,9 +127,9 @@ spec: - name: PG_MODE value: {{ $pgMode }} - name: PG_PRIMARY_HOST - value: "{{ $dot.Values.container.name.primary }}" + value: "{{ $dot.Values.service.name2 }}" - name: PG_REPLICA_HOST - value: "{{ $dot.Values.container.name.replica }}" + value: "{{ $dot.Values.service.name3 }}" - name: PG_PRIMARY_PORT value: "{{ $dot.Values.service.internalPort }}" - name: PG_PRIMARY_PASSWORD diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml index 435c925eb2..a3d942fcfa 100644 --- a/kubernetes/common/timescaledb/templates/statefulset.yaml +++ b/kubernetes/common/timescaledb/templates/statefulset.yaml @@ -29,25 +29,26 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{ include "common.podSecurityContext" . | indent 10 | trim}} initContainers: - - name: chowm-mount-path + # we shouldn't need this but for unknown reason, it's fsGroup is not + # applied + - name: fix-permission command: - /bin/sh args: - -c - - chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }} /var/lib/postgresql/data + - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /var/lib/postgresql/data image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + securityContext: + runAsUser: 0 volumeMounts: - mountPath: /var/lib/postgresql/data name: {{ include "common.fullname" . }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} imagePullPolicy: {{ .Values.pullPolicy }} ports: {{ include "common.containerPorts" . | nindent 12 }} livenessProbe: diff --git a/kubernetes/common/timescaledb/values.yaml b/kubernetes/common/timescaledb/values.yaml index 55acd92847..258f516ff0 100644 --- a/kubernetes/common/timescaledb/values.yaml +++ b/kubernetes/common/timescaledb/values.yaml @@ -37,30 +37,45 @@ serviceAccount: roles: - read -podSecurityContext: {} - # fsGroup: 2000 - securityContext: # Uid and gid to run the entrypoint of the container process (uid 70 is postgres user and gid 70 is postgres group) - runAsUser: 70 - runAsGroup: 70 + user_id: 70 + group_id: 70 # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true +flavor: small + +#resources: {} +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# +# Example: +# Configure resource requests and limits +# ref: http://kubernetes.io/docs/user-guide/compute-resources/ +# Minimum memory for development is 2 CPU cores and 4GB memory +# Minimum memory for production is 4 CPU cores and 8GB memory resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: - cpu: 0.5 - memory: 256Mi - requests: - cpu: 20m - memory: 256Mi + small: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 10m + memory: 90Mi + large: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + unlimited: {} nodeSelector: {} |