apiVersion: v1 kind: ConfigMap metadata: annotations: argocd.argoproj.io/sync-wave: "5" labels: app.kubernetes.io/name: postgresql app.kubernetes.io/version: '13' app.kubernetes.io/component: postgresql-server app.kubernetes.io/instance: postgresql-server name: postgresql-config namespace: {{ .Values.projectName | quote }} data: ssl.conf: | ssl = on # The TLS certificate & key are generated using the OpenShift's service serving # certificate secrets via corresponding annotation of the PostgreSQL service # and stored into a read-only persistent volume, corresponding to the OpenShift # secret. # # Later the 'postgresql-pre-start/enable_ssl.sh' script, present in this # repository, copies the generated TLS certificate & key to by current UID # writable "/var/run/postgresql/pki" directory, so it's possible to correct # the permissions of the TLS private key to mode required by PostgreSQL server ssl_cert_file = '/var/run/postgresql/pki/tls.crt' # PostgreSQL server certificate ssl_key_file = '/var/run/postgresql/pki/tls.key' # PostgreSQL server private key ssl_ca_file = '/run/secrets/kubernetes.io/serviceaccount/ca.crt' # OpenShift CA --- apiVersion: v1 kind: ConfigMap metadata: annotations: argocd.argoproj.io/sync-wave: "5" labels: app.kubernetes.io/name: postgresql app.kubernetes.io/version: '13' app.kubernetes.io/component: postgresql-server app.kubernetes.io/instance: postgresql-server name: postgresql-prestart-hook namespace: {{ .Values.projectName | quote }} data: enable_ssl.sh: | #!/usr/bin/env bash set -eu # Copy the TLS certificate & key generated by the OpenShift's service serving # certificate secrets from "/etc/pki/postgresql" (which is mounted read-only, # since coming from secret) to "/var/run/postgresql/pki", so it's possible to # correct the permissions of the TLS private key as required below SOURCE_DIR="/etc/pki/postgresql" DESTINATION_DIR="/var/run/postgresql/pki" if [ ! -d "${DESTINATION_DIR}" ]; then mkdir -p "${DESTINATION_DIR}" fi cp "${SOURCE_DIR}"/tls.{crt,key} "${DESTINATION_DIR}" # PostgreSQL will fail to start and throw an error like: # # FATAL: private key file "/path/to/key" has group or world access # File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root. # # if the permissions of the TLS private key are incorrect. # # Thus correct the permissions so PostgreSQL server can start successfully chmod 0600 "${DESTINATION_DIR}/tls.key" --- apiVersion: v1 kind: ConfigMap metadata: annotations: argocd.argoproj.io/sync-wave: "5" labels: app.kubernetes.io/name: postgresql app.kubernetes.io/version: '13' app.kubernetes.io/component: postgresql-server app.kubernetes.io/instance: postgresql-server name: postgresql-start-hook namespace: {{ .Values.projectName | quote }} data: create_db_user.sh: | #!/usr/bin/env bash for file in /var/run/demo-seed/*-database-password; do filename="$(basename $file)" user="${filename%-database-password}" echo "Creating user $user..." psql -q -c "CREATE USER \"$user\" WITH ENCRYPTED PASSWORD '$(cat $file)';" || true echo "Creating database $user..." psql -q -c "CREATE DATABASE \"$user\" OWNER \"$user\";" || true done --- apiVersion: v1 kind: Service metadata: annotations: argocd.argoproj.io/sync-wave: "5" service.alpha.openshift.io/serving-cert-secret-name: postgresql-ssl labels: app.kubernetes.io/name: postgresql app.kubernetes.io/version: '13' app.kubernetes.io/component: postgresql-server app.kubernetes.io/instance: postgresql-server name: postgresql-server namespace: {{ .Values.projectName | quote }} spec: ports: - port: 5432 targetPort: 5432 selector: app.kubernetes.io/name: postgresql app.kubernetes.io/component: postgresql-server app.kubernetes.io/instance: postgresql-server --- apiVersion: v1 kind: Service metadata: annotations: argocd.argoproj.io/sync-wave: "5" labels: app.kubernetes.io/name: postgresql app.kubernetes.io/version: '13' app.kubernetes.io/component: postgresql-server app.kubernetes.io/instance: postgresql-server name: postgresql namespace: {{ .Values.projectName | quote }} spec: clusterIP: None # Headless service ports: - port: 5432 targetPort: 5432 selector: app.kubernetes.io/name: postgresql app.kubernetes.io/component: postgresql-server app.kubernetes.io/instance: postgresql-server --- apiVersion: apps/v1 kind: StatefulSet metadata: annotations: argocd.argoproj.io/sync-wave: "5" labels: app.kubernetes.io/name: postgresql app.kubernetes.io/version: '13' app.kubernetes.io/component: postgresql-server app.kubernetes.io/instance: postgresql-server name: postgresql namespace: {{ .Values.projectName | quote }} spec: selector: matchLabels: app.kubernetes.io/name: postgresql app.kubernetes.io/component: postgresql-server app.kubernetes.io/instance: postgresql-server serviceName: "postgresql" replicas: 1 minReadySeconds: 10 template: metadata: labels: app.kubernetes.io/name: postgresql app.kubernetes.io/component: postgresql-server app.kubernetes.io/instance: postgresql-server spec: terminationGracePeriodSeconds: 10 containers: - env: - name: POSTGRESQL_USER value: admin - name: POSTGRESQL_PASSWORD valueFrom: secretKeyRef: name: demo-seed key: postgresql-admin-password - name: POSTGRESQL_DATABASE value: admin - name: POSTGRESQL_MAX_CONNECTIONS - name: POSTGRESQL_MAX_PREPARED_TRANSACTIONS - name: POSTGRESQL_SHARED_BUFFERS image: registry.redhat.io/rhel8/postgresql-13:latest imagePullPolicy: Always livenessProbe: failureThreshold: 3 initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 tcpSocket: port: 5432 timeoutSeconds: 10 name: postgresql-server ports: - containerPort: 5432 protocol: TCP readinessProbe: exec: command: - /bin/sh - -i - -c - PGSSLMODE=require psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1' failureThreshold: 3 periodSeconds: 10 initialDelaySeconds: 30 successThreshold: 1 timeoutSeconds: 10 resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/lib/pgsql/data name: postgresql-data - mountPath: /etc/pki/postgresql name: postgresql-ssl readOnly: true - mountPath: /opt/app-root/src/postgresql-cfg name: postgresql-config readOnly: true - mountPath: /opt/app-root/src/postgresql-pre-start name: postgresql-prestart-hook readOnly: true - mountPath: /opt/app-root/src/postgresql-start name: postgresql-start-hook readOnly: true - mountPath: /var/run/demo-seed name: demo-seed readOnly: true volumes: - name: postgresql-data persistentVolumeClaim: claimName: postgresql-data - name: postgresql-ssl secret: secretName: postgresql-ssl - name: postgresql-config configMap: name: postgresql-config - name: postgresql-prestart-hook configMap: name: postgresql-prestart-hook defaultMode: 0755 - name: postgresql-start-hook configMap: name: postgresql-start-hook defaultMode: 0755 - name: demo-seed secret: secretName: demo-seed --- apiVersion: v1 kind: PersistentVolumeClaim metadata: annotations: argocd.argoproj.io/sync-wave: "5" labels: app.kubernetes.io/name: postgresql app.kubernetes.io/version: '13' app.kubernetes.io/component: postgresql-server app.kubernetes.io/instance: postgresql-server name: postgresql-data namespace: {{ .Values.projectName | quote }} spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi