nicolas
/
demo-apimgmt
mirror of https://github.com/nmasse-itix/demo-apimgmt.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Demo of the Red Hat API Management solution
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
33 Commits
2 Branches
0 Tags
63 KiB
Tree: 9e3f6e994a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9e3f6e994a'
${ noResults }
demo-apimgmt/infrastructure/templates/postgresql.yaml

267 lines
8.4 KiB
Raw Blame History

apiVersion: v1
kind: ConfigMap
metadata:
annotations:
argocd.argoproj.io/sync-wave: "5"
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/version: '13'
app.kubernetes.io/component: postgresql-server
app.kubernetes.io/instance: postgresql-server
name: postgresql-config
namespace: {{ .Values.projectName | quote }}
data:
ssl.conf: |
ssl = on
# The TLS certificate & key are generated using the OpenShift's service serving
# certificate secrets via corresponding annotation of the PostgreSQL service
# and stored into a read-only persistent volume, corresponding to the OpenShift
# secret.
#
# Later the 'postgresql-pre-start/enable_ssl.sh' script, present in this
# repository, copies the generated TLS certificate & key to by current UID
# writable "/var/run/postgresql/pki" directory, so it's possible to correct
# the permissions of the TLS private key to mode required by PostgreSQL server
ssl_cert_file = '/var/run/postgresql/pki/tls.crt' # PostgreSQL server certificate
ssl_key_file = '/var/run/postgresql/pki/tls.key' # PostgreSQL server private key
ssl_ca_file = '/run/secrets/kubernetes.io/serviceaccount/ca.crt' # OpenShift CA
---
apiVersion: v1
kind: ConfigMap
metadata:
annotations:
argocd.argoproj.io/sync-wave: "5"
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/version: '13'
app.kubernetes.io/component: postgresql-server
app.kubernetes.io/instance: postgresql-server
name: postgresql-prestart-hook
namespace: {{ .Values.projectName | quote }}
data:
enable_ssl.sh: |
#!/usr/bin/env bash
set -eu
# Copy the TLS certificate & key generated by the OpenShift's service serving
# certificate secrets from "/etc/pki/postgresql" (which is mounted read-only,
# since coming from secret) to "/var/run/postgresql/pki", so it's possible to
# correct the permissions of the TLS private key as required below
SOURCE_DIR="/etc/pki/postgresql"
DESTINATION_DIR="/var/run/postgresql/pki"
if [ ! -d "${DESTINATION_DIR}" ]; then
mkdir -p "${DESTINATION_DIR}"
fi
cp "${SOURCE_DIR}"/tls.{crt,key} "${DESTINATION_DIR}"
# PostgreSQL will fail to start and throw an error like:
#
# FATAL: private key file "/path/to/key" has group or world access
# File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.
#
# if the permissions of the TLS private key are incorrect.
#
# Thus correct the permissions so PostgreSQL server can start successfully
chmod 0600 "${DESTINATION_DIR}/tls.key"
---
apiVersion: v1
kind: ConfigMap
metadata:
annotations:
argocd.argoproj.io/sync-wave: "5"
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/version: '13'
app.kubernetes.io/component: postgresql-server
app.kubernetes.io/instance: postgresql-server
name: postgresql-start-hook
namespace: {{ .Values.projectName | quote }}
data:
create_db_user.sh: |
#!/usr/bin/env bash
for file in /var/run/demo-seed/*-database-password; do
filename="$(basename $file)"
user="${filename%-database-password}"
echo "Creating user $user..."
psql -q -c "CREATE USER \"$user\" WITH ENCRYPTED PASSWORD '$(cat $file)';" || true
echo "Creating database $user..."
psql -q -c "CREATE DATABASE \"$user\" OWNER \"$user\";" || true
done
---
apiVersion: v1
kind: Service
metadata:
annotations:
argocd.argoproj.io/sync-wave: "5"
service.alpha.openshift.io/serving-cert-secret-name: postgresql-ssl
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/version: '13'
app.kubernetes.io/component: postgresql-server
app.kubernetes.io/instance: postgresql-server
name: postgresql-server
namespace: {{ .Values.projectName | quote }}
spec:
ports:
- port: 5432
targetPort: 5432
selector:
app.kubernetes.io/name: postgresql
app.kubernetes.io/component: postgresql-server
app.kubernetes.io/instance: postgresql-server
---
apiVersion: v1
kind: Service
metadata:
annotations:
argocd.argoproj.io/sync-wave: "5"
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/version: '13'
app.kubernetes.io/component: postgresql-server
app.kubernetes.io/instance: postgresql-server
name: postgresql
namespace: {{ .Values.projectName | quote }}
spec:
clusterIP: None # Headless service
ports:
- port: 5432
targetPort: 5432
selector:
app.kubernetes.io/name: postgresql
app.kubernetes.io/component: postgresql-server
app.kubernetes.io/instance: postgresql-server
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
annotations:
argocd.argoproj.io/sync-wave: "5"
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/version: '13'
app.kubernetes.io/component: postgresql-server
app.kubernetes.io/instance: postgresql-server
name: postgresql
namespace: {{ .Values.projectName | quote }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/component: postgresql-server
app.kubernetes.io/instance: postgresql-server
serviceName: "postgresql"
replicas: 1
minReadySeconds: 10
template:
metadata:
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/component: postgresql-server
app.kubernetes.io/instance: postgresql-server
spec:
terminationGracePeriodSeconds: 10
containers:
- env:
- name: POSTGRESQL_USER
value: admin
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: demo-seed
key: postgresql-admin-password
- name: POSTGRESQL_DATABASE
value: admin
- name: POSTGRESQL_MAX_CONNECTIONS
- name: POSTGRESQL_MAX_PREPARED_TRANSACTIONS
- name: POSTGRESQL_SHARED_BUFFERS
image: registry.redhat.io/rhel8/postgresql-13:latest
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: 5432
timeoutSeconds: 10
name: postgresql-server
ports:
- containerPort: 5432
protocol: TCP
readinessProbe:
exec:
command:
- /bin/sh
- -i
- -c
- PGSSLMODE=require psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE
-c 'SELECT 1'
failureThreshold: 3
periodSeconds: 10
initialDelaySeconds: 30
successThreshold: 1
timeoutSeconds: 10
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/lib/pgsql/data
name: postgresql-data
- mountPath: /etc/pki/postgresql
name: postgresql-ssl
readOnly: true
- mountPath: /opt/app-root/src/postgresql-cfg
name: postgresql-config
readOnly: true
- mountPath: /opt/app-root/src/postgresql-pre-start
name: postgresql-prestart-hook
readOnly: true
- mountPath: /opt/app-root/src/postgresql-start
name: postgresql-start-hook
readOnly: true
- mountPath: /var/run/demo-seed
name: demo-seed
readOnly: true
volumes:
- name: postgresql-data
persistentVolumeClaim:
claimName: postgresql-data
- name: postgresql-ssl
secret:
secretName: postgresql-ssl
- name: postgresql-config
configMap:
name: postgresql-config
- name: postgresql-prestart-hook
configMap:
name: postgresql-prestart-hook
defaultMode: 0755
- name: postgresql-start-hook
configMap:
name: postgresql-start-hook
defaultMode: 0755
- name: demo-seed
secret:
secretName: demo-seed
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
annotations:
argocd.argoproj.io/sync-wave: "5"
labels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/version: '13'
app.kubernetes.io/component: postgresql-server
app.kubernetes.io/instance: postgresql-server
name: postgresql-data
namespace: {{ .Values.projectName | quote }}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi