shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-17 18:24:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: overhaul

Browse Source
This commit is contained in:
auricom
2025-01-04 00:00:04 +01:00
parent b14022014b
commit 0c9529c7a2
408 changed files with 3187 additions and 2380 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
kubernetes/apps/database/cloudnative-pg/app/externalsecret.yaml
View File

@@ -1,34 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: cloudnative-pg
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: cloudnative-pg-secret
template:
engineVersion: v2
metadata:
labels:
cnpg.io/reload: "true"
data:
- secretKey: username
remoteRef:
key: cloudnative-pg
property: POSTGRES_SUPER_USER
- secretKey: password
remoteRef:
key: cloudnative-pg
property: POSTGRES_SUPER_PASS
- secretKey: aws-access-key-id
remoteRef:
key: cloudnative-pg
property: AWS_ACCESS_KEY_ID
- secretKey: aws-secret-access-key
remoteRef:
key: cloudnative-pg
property: AWS_SECRET_ACCESS_KEY

34
kubernetes/apps/database/cloudnative-pg/app/helmrelease.yaml
View File

@@ -1,34 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cloudnative-pg
spec:
interval: 30m
chart:
spec:
chart: cloudnative-pg
version: 0.23.0
sourceRef:
kind: HelmRepository
name: cloudnative-pg
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
dependsOn:
- name: openebs
namespace: openebs-system
values:
crds:
create: true
config:
data:
INHERITED_ANNOTATIONS: kyverno.io/ignore

18
kubernetes/apps/database/cloudnative-pg/app/kustomization.yaml
View File

@@ -1,18 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml
configMapGenerator:
- name: cloudnative-pg-dashboard
files:
- cloudnative-pg-dashboard.json=https://raw.githubusercontent.com/cloudnative-pg/charts/main/charts/cloudnative-pg/monitoring/grafana-dashboard.json
generatorOptions:
disableNameSuffixHash: true
annotations:
kustomize.toolkit.fluxcd.io/substitute: disabled
labels:
grafana_dashboard: "true"

70
kubernetes/apps/database/cloudnative-pg/cluster/cluster16.yaml
View File

@@ -1,70 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: postgres16
spec:
instances: 4 # set to the number of nodes in the cluster
imageName: ghcr.io/cloudnative-pg/postgresql:16.2-10@sha256:82827bc9bc5ca7df1d7f7d4813444e0e7a8e32633ad72c5c66ad2be72c3b2095
primaryUpdateStrategy: unsupervised
storage:
size: 50Gi
storageClass: openebs-hostpath
superuserSecret:
name: cloudnative-pg-secret
enableSuperuserAccess: true
resources:
requests:
cpu: 500m
limits:
memory: 4Gi
postgresql:
parameters:
max_connections: "600"
max_slot_wal_keep_size: 10GB
shared_buffers: 512MB
monitoring:
enablePodMonitor: true
# Ref: https://github.com/cloudnative-pg/cloudnative-pg/issues/2501
podMonitorMetricRelabelings:
- { sourceLabels: ["cluster"], targetLabel: cnpg_cluster, action: replace }
- { regex: cluster, action: labeldrop }
backup:
retentionPolicy: 30d
barmanObjectStore:
data:
compression: bzip2
wal:
compression: bzip2
maxParallel: 8
destinationPath: s3://postgresql/
endpointURL: https://s3.${SECRET_INTERNAL_DOMAIN}
# Note: serverName version needs to be inclemented
# when recovering from an existing cnpg cluster
serverName: postgres16-v4
s3Credentials:
accessKeyId:
name: cloudnative-pg-secret
key: aws-access-key-id
secretAccessKey:
name: cloudnative-pg-secret
key: aws-secret-access-key
# # Note: previousCluster needs to be set to the name of the previous
# # cluster when recovering from an existing cnpg cluster
# bootstrap:
# recovery:
# source: postgres16-v3
# externalClusters:
# - name: postgres16-v3
# barmanObjectStore:
# destinationPath: s3://postgresql/
# endpointURL: https://s3.${SECRET_INTERNAL_DOMAIN}
# s3Credentials:
# accessKeyId:
# name: cloudnative-pg-secret
# key: aws-access-key-id
# secretAccessKey:
# name: cloudnative-pg-secret
# key: aws-secret-access-key
# wal:
# maxParallel: 8

85
kubernetes/apps/database/cloudnative-pg/cluster/pgdump/helmrelease.yaml
View File

@@ -1,85 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app cloudnative-pg-postgres16-pgdump
namespace: default
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.6.0
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 2
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
uninstall:
keepHistory: false
values:
controllers:
cloudnative-pg-postgres16-pgdump:
type: cronjob
cronjob:
concurrencyPolicy: Forbid
schedule: "@daily"
initContainers:
init-db:
image:
repository: ghcr.io/onedr0p/postgres-init
tag: 16
env:
EXCLUDE_DBS: app home_assistant lidarr_log radarr_log sonarr_log prowlarr_log postgres template0 template1
envFrom: &envFrom
- secretRef:
name: cloudnative-pg-postgres16-pgdump-secret
command: /scripts/list_dbs.sh
containers:
app:
image:
repository: prodrigestivill/postgres-backup-local
tag: 16-alpine@sha256:d41309ea4abc06b1d369927cafa7abb8b9cccab21921dcb5d765379fcd9d60cb
command: [/backup.sh]
env:
POSTGRES_DB_FILE: /config/db_list
POSTGRES_EXTRA_OPTS: -Z9 --schema=public --blobs
BACKUP_KEEP_DAYS: "7"
BACKUP_KEEP_WEEKS: "4"
BACKUP_KEEP_MONTHS: "3"
HEALTHCHECK_PORT: "8080"
envFrom: *envFrom
service:
app:
controller: *app
enabled: false
persistence:
config:
enabled: true
type: emptyDir
globalMounts:
- path: /config
backups:
enabled: true
type: nfs
server: 192.168.9.10
path: /var/mnt/vol1/backups/postgresql
globalMounts:
- path: /backups
scripts:
enabled: true
type: configMap
name: cloudnative-pg-postgres16-pgdump-scripts # overriden by kustomizeconfig
defaultMode: 0775
globalMounts:
- path: /scripts

16
kubernetes/apps/database/cloudnative-pg/cluster/pgdump/kustomization.yaml
View File

@@ -1,16 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml
configMapGenerator:
- name: cloudnative-pg-postgres16-pgdump-scripts
files:
- list_dbs.sh=./scripts/list_dbs.sh
generatorOptions:
disableNameSuffixHash: true
annotations:
kustomize.toolkit.fluxcd.io/substitute: disabled

37
kubernetes/apps/database/cloudnative-pg/cluster/pgdump/scripts/list_dbs.sh
View File

@@ -1,37 +0,0 @@
#!/bin/bash
set -o nounset
set -o errexit
# File to store the list of databases
OUTPUT_FILE="/config/db_list"
# Export PG password to avoid password prompt
export PGPASSWORD="$POSTGRES_PASSWORD"
# Convert EXCLUDE_DBS to an array
IFS=' ' read -r -a EXCLUDE_ARRAY <<< "$EXCLUDE_DBS"
# List all databases and filter out the excluded ones
psql -h $POSTGRES_HOST -p $POSTGRES_PORT -U $POSTGRES_USER -lqt | \
cut -d \| -f 1 | \
sed 's/^[[:space:]]*//;s/[[:space:]]*$//' | \
while read -r dbname; do
skip=false
for exclude in "${EXCLUDE_ARRAY[@]}"; do
if [[ "$dbname" == "$exclude" ]]; then
skip=true
break
fi
done
if [[ "$skip" == false ]]; then
echo "$dbname"
fi
done > "$OUTPUT_FILE"
# Unset PG password
unset PGPASSWORD
echo "Database list saved to $OUTPUT_FILE"
cat $OUTPUT_FILE

67
kubernetes/apps/database/cloudnative-pg/cluster/prometheusrule.yaml
View File

@@ -1,67 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/prometheusrule_v1.json
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: cloudnative-pg-rules
labels:
prometheus: k8s
role: alert-rules
spec:
groups:
- name: cloudnative-pg.rules
rules:
- alert: LongRunningTransaction
annotations:
description: Pod {{ $labels.pod }} is taking more than 5 minutes (300 seconds) for a query.
summary: A query is taking longer than 5 minutes.
expr: |-
cnpg_backends_max_tx_duration_seconds > 300
for: 1m
labels:
severity: warning
- alert: BackendsWaiting
annotations:
description: Pod {{ $labels.pod }} has been waiting for longer than 5 minutes
summary: If a backend is waiting for longer than 5 minutes
expr: |-
cnpg_backends_waiting_total > 300
for: 1m
labels:
severity: warning
- alert: PGDatabase
annotations:
description: Over 150,000,000 transactions from frozen xid on pod {{ $labels.pod }}
summary: Number of transactions from the frozen XID to the current one
expr: |-
cnpg_pg_database_xid_age > 150000000
for: 1m
labels:
severity: warning
- alert: PGReplication
annotations:
description: Standby is lagging behind by over 300 seconds (5 minutes)
summary: The standby is lagging behind the primary
expr: |-
cnpg_pg_replication_lag > 300
for: 1m
labels:
severity: warning
- alert: LastFailedArchiveTime
annotations:
description: Archiving failed for {{ $labels.pod }}
summary: Checks the last time archiving failed. Will be < 0 when it has not failed.
expr: |-
(cnpg_pg_stat_archiver_last_failed_time - cnpg_pg_stat_archiver_last_archived_time) > 1
for: 1m
labels:
severity: warning
- alert: DatabaseDeadlockConflicts
annotations:
description: There are over 10 deadlock conflicts in {{ $labels.pod }}
summary: Checks the number of database conflicts
expr: |-
cnpg_pg_stat_database_deadlocks > 10
for: 1m
labels:
severity: warning

11
kubernetes/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml
View File

@@ -1,11 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
name: postgres
spec:
schedule: "@daily"
immediate: true
backupOwnerReference: self
cluster:
name: postgres16

46
kubernetes/apps/database/cloudnative-pg/ks.yaml
View File

@@ -1,46 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app cloudnative-pg
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: external-secrets-stores
path: ./kubernetes/apps/database/cloudnative-pg/app
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: true
interval: 30m
retryInterval: 1m
timeout: 5m
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cloudnative-pg-cluster
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: cloudnative-pg
dependsOn:
- name: cloudnative-pg
path: ./kubernetes/apps/database/cloudnative-pg/cluster
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: true
interval: 30m
retryInterval: 1m
timeout: 5m

65
kubernetes/apps/database/cloudnative-pg/readme.md
View File

@@ -1,65 +0,0 @@
# cloudnative-pg
## S3 Configuration
1. Create `~/.mc/config.json`
```json
{
"version": "10",
"aliases": {
"minio": {
"url": "https://s3.<domain>",
"accessKey": "<access-key>",
"secretKey": "<secret-key>",
"api": "S3v4",
"path": "auto"
}
}
}
```
2. Create the outline user and password
```sh
mc admin user add minio postgresql <super-secret-password>
```
3. Create the outline bucket
```sh
mc mb minio/postgresql
```
4. Create `postgresql-user-policy.json`
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::postgresql/*", "arn:aws:s3:::postgresql"],
"Sid": ""
}
]
}
```
5. Apply the bucket policies
```sh
mc admin policy add minio postgresql-private postgresql-user-policy.json
```
6. Associate private policy with the user
```sh
mc admin policy set minio postgresql-private user=postgresql
```

203
kubernetes/apps/database/crunchy-postgres-operator/cluster/cluster.yaml Normal file
View File

@@ -0,0 +1,203 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/postgres-operator.crunchydata.com/postgrescluster_v1beta1.json
apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PostgresCluster
metadata:
name: &name postgres
spec:
postgresVersion: 17
metadata:
labels:
crunchy-userinit.ramblurr.github.com/enabled: "true"
crunchy-userinit.ramblurr.github.com/superuser: postgres
patroni: # turn on sync writes to at least 1 other replica
dynamicConfiguration:
synchronous_mode: true
postgresql:
max_wal_size: 5GB
synchronous_commit: "on"
pg_hba:
- hostnossl authelia all 192.168.8.0/22 md5 # Needed because authelia does not support SSL yet
- hostssl all all all md5
parameters:
max_connections: 500
instances:
- name: postgres
metadata:
labels:
app.kubernetes.io/name: crunchy-postgres
replicas: &replica 2
dataVolumeClaimSpec:
storageClassName: openebs-hostpath
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 80Gi
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
postgres-operator.crunchydata.com/cluster: *name
postgres-operator.crunchydata.com/data: postgres
users:
# Superuser
- name: postgres
databases:
- postgres
options: SUPERUSER
password: &password
type: AlphaNumeric
# Applications
- name: authelia
databases:
- authelia
password: *password
- name: bazarr
databases:
- bazarr_main
- bazarr_log
password: *password
- name: ghostfolio
databases:
- ghostfolio
password: *password
- name: home-assistant
databases:
- home-assistant
password: *password
- name: joplin
databases:
- joplin
password: *password
- name: lldap
databases:
- lldap
password: *password
- name: lidarr
databases:
- lidarr_main
- lidarr_log
password: *password
- name: lychee
databases:
- lychee
password: *password
- name: outline
databases:
- outline
password: *password
- name: paperless
databases:
- paperless
password: *password
- name: prowlarr
databases:
- prowlarr_main
- prowlarr_logs
password: *password
- name: pushover-notifier
databases:
- pushover-notifier
password: *password
- name: radarr
databases:
- radarr_main
- radarr_log
password: *password
- name: sonarr
databases:
- sonarr_main
- sonarr_log
password: *password
- name: tandoor
databases:
- tandoor
password: *password
- name: vikunja
databases:
- vikunja
password: *password
backups:
pgbackrest:
configuration: &backupConfig
- secret:
name: crunchy-postgres-secret
global: &backupFlag
compress-type: bz2
compress-level: "9"
# Minio
repo1-block: y
repo1-bundle: y
repo1-path: /crunchy-pgo
repo1-retention-full: "30" # days
repo1-retention-full-type: time
repo1-s3-uri-style: path
manual:
repoName: repo1
options:
- --type=full
metadata:
labels:
app.kubernetes.io/name: crunchy-postgres-backup
repos:
- name: repo1 # Minio
s3: &minio
bucket: crunchy-postgres-operator
endpoint: "s3.${SECRET_INTERNAL_DOMAIN}"
region: us-east-1
schedules:
full: 0 1 * * 0 # Sunday at 01:00
differential: 0 1 * * 1-6 # Mon-Sat at 01:00
incremental: 0 2-23 * * * # Every hour except 01:00
# dataSource:
# pgbackrest:
# stanza: "db"
# configuration: *backupConfig
# global: *backupFlag
# repo:
# name: "repo1"
# s3: *minio
monitoring:
pgmonitor:
exporter:
resources:
requests:
cpu: 10m
memory: 64M
limits:
memory: 512M
proxy:
pgBouncer:
port: 5432
service:
metadata:
annotations:
lbipam.cilium.io/ips: ${CLUSTER_LB_POSTGRES}
type: LoadBalancer
replicas: *replica
metadata:
labels:
app.kubernetes.io/name: crunchy-postgres-pgbouncer
config:
global:
pool_mode: session # Grafana requires session https://github.com/grafana/grafana/issues/74260#issuecomment-1702795311. Everything else is happy with transaction
client_tls_sslmode: prefer
default_pool_size: "100"
max_client_conn: "500"
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
postgres-operator.crunchydata.com/cluster: *name
postgres-operator.crunchydata.com/role: pgbouncer

26
kubernetes/apps/database/crunchy-postgres-operator/cluster/externalsecret.yaml Normal file
View File

@@ -0,0 +1,26 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: crunchy-postgres
spec:
refreshInterval: 5m
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: crunchy-postgres-secret
template:
engineVersion: v2
data:
s3.conf: |
[global]
repo1-s3-key={{ .CRUNCHY_POSTGRES_S3_ACCESS_KEY }}
repo1-s3-key-secret={{ .CRUNCHY_POSTGRES_S3_SECRET_KEY }}
encryption.conf: |
[global]
repo1-cipher-pass={{ .CRUNCHY_POSTGRES_BACKUP_ENCRYPTION_CIPHER }}
dataFrom:
- extract:
key: crunchy-postgres

8
kubernetes/apps/database/crunchy-postgres-operator/cluster/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./externalsecret.yaml
- ./cluster.yaml
- ./podmonitor.yaml

37
kubernetes/apps/database/crunchy-postgres-operator/cluster/podmonitor.yaml Normal file
View File

@@ -0,0 +1,37 @@
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: cpgo-postgres
spec:
jobLabel: cpgo-postgres
namespaceSelector:
matchNames:
- database
podMetricsEndpoints:
- honorLabels: true
path: /metrics
port: exporter
relabelings:
- sourceLabels:
[
"__meta_kubernetes_namespace",
"__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_cluster",
]
targetLabel: pg_cluster
separator: "/"
replacement: "$1$2"
- sourceLabels:
[
__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_instance,
]
targetLabel: deployment
- sourceLabels:
[__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_role]
targetLabel: role
- sourceLabels: [__meta_kubernetes_pod_name]
targetLabel: instance
selector:
matchLabels:
postgres-operator.crunchydata.com/cluster: postgres
postgres-operator.crunchydata.com/crunchy-postgres-exporter: "true"

19
kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/clustersecretstore.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: crunchy-pgo-secrets
spec:
provider:
kubernetes:
remoteNamespace: database
server:
caProvider:
type: ConfigMap
name: kube-root-ca.crt
namespace: database
key: ca.crt
auth:
serviceAccount:
name: external-secrets-pg
namespace: database

7
kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./rbac.yaml
- ./clustersecretstore.yaml

31
kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/rbac.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-secrets-pg
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authorization.k8s.io"]
resources: ["selfsubjectrulesreviews"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: &name external-secrets-pg
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: *name
subjects:
- kind: ServiceAccount
name: *name
namespace: database
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-pg
namespace: database

110
kubernetes/apps/database/crunchy-postgres-operator/ks.yaml Normal file
View File

@@ -0,0 +1,110 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app crunchy-postgres-operator
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: *app
interval: 30m
timeout: 5m
path: ./kubernetes/apps/database/crunchy-postgres-operator/operator
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: true
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app crunchy-postgres-operator-cluster
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: *app
interval: 30m
timeout: 5m
path: ./kubernetes/apps/database/crunchy-postgres-operator/cluster
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: true
dependsOn:
- name: crunchy-postgres-operator
- name: external-secrets-stores
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app crunchy-postgres-operator-secretstore
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: *app
interval: 30m
timeout: 5m
path: ./kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: true
dependsOn:
- name: crunchy-postgres-operator-cluster
- name: external-secrets
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app crunchy-postgres-userinit-controller
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: *app
interval: 30m
timeout: 5m
path: ./kubernetes/apps/database/crunchy-postgres-operator/userinit-controller
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: true
dependsOn:
- name: crunchy-postgres-operator-cluster
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app crunchy-postgres-pgadmin
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: *app
interval: 30m
timeout: 5m
path: ./kubernetes/apps/database/crunchy-postgres-operator/pgadmin
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: true
dependsOn:
- name: crunchy-postgres-operator-cluster

28
kubernetes/apps/database/crunchy-postgres-operator/operator/helmrelease.yaml Normal file
View File

@@ -0,0 +1,28 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: crunchy-postgres-operator
spec:
interval: 30m
chart:
spec:
chart: pgo
version: 5.7.2
sourceRef:
kind: HelmRepository
name: crunchydata
namespace: flux-system
interval: 5m
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
dependsOn:
- name: openebs
namespace: openebs-system
values:
install:
clusterLabels:
app.kubernetes.io/name: pgo

6
kubernetes/apps/database/crunchy-postgres-operator/operator/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml

5
kubernetes/apps/database/pgadmin/app/externalsecret.yaml → kubernetes/apps/database/crunchy-postgres-operator/pgadmin/externalsecret.yaml
View File

@@ -14,10 +14,7 @@ spec:
engineVersion: v2
data:
# App
PGADMIN_DEFAULT_EMAIL: "{{ .username }}"
PGADMIN_DEFAULT_PASSWORD: "{{ .password }}"
PGADMIN_PASSWORD: "{{ .password }}"
dataFrom:
- extract:
key: cloudnative-pg
- extract:
key: pgadmin

33
kubernetes/apps/database/crunchy-postgres-operator/pgadmin/ingress.yaml Normal file
View File

@@ -0,0 +1,33 @@
---
# trunk-ignore(checkov/CKV_K8S_21)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pgadmin
annotations:
hajimari.io/icon: mdi:database
gethomepage.dev/enabled: "true"
gethomepage.dev/name: pgAdmin
gethomepage.dev/description: PostgreSQL management tool.
gethomepage.dev/group: Infrrastructure
gethomepage.dev/icon: pgadmin.png
gethomepage.dev/pod-selector: >-
app in (
pgadmin
)
spec:
ingressClassName: internal
tls:
- hosts:
- &host pgadmin.${SECRET_EXTERNAL_DOMAIN}
rules:
- host: *host
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: pgadmin
port:
number: 5050

9
kubernetes/apps/database/cloudnative-pg/cluster/kustomization.yaml → kubernetes/apps/database/crunchy-postgres-operator/pgadmin/kustomization.yaml
View File

@@ -2,9 +2,8 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./cluster16.yaml
- ./pgdump
- ./prometheusrule.yaml
- ./scheduledbackup.yaml
- ./externalsecret.yaml
- ./ingress.yaml
- ./pgadmin.yaml
- ./service.yaml

22
kubernetes/apps/database/crunchy-postgres-operator/pgadmin/pgadmin.yaml Normal file
View File

@@ -0,0 +1,22 @@
---
apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PGAdmin
metadata:
name: pgadmin
spec:
users:
- username: admin@homelab.io
role: Administrator
passwordRef:
name: pgadmin-secret
key: PGADMIN_PASSWORD
dataVolumeClaimSpec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
serverGroups:
- name: supply
postgresClusterSelector: {}
serviceName: pgadmin

14
kubernetes/apps/database/crunchy-postgres-operator/pgadmin/service.yaml Normal file
View File

@@ -0,0 +1,14 @@
---
# trunk-ignore(checkov/CKV_K8S_21)
apiVersion: v1
kind: Service
metadata:
name: pgadmin
spec:
type: ClusterIP
ports:
- name: pgadmin-port
port: 5050
protocol: TCP
selector:
postgres-operator.crunchydata.com/pgadmin: pgadmin

17
kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrelease.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: userinit-controller
spec:
interval: 30m
chart:
spec:
chart: crunchy-userinit-controller
version: 0.0.4
sourceRef:
kind: HelmRepository
name: crunchy-userinit
values:
fullnameOverride: crunchy-userinit-controller

10
kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrepository.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: crunchy-userinit
spec:
interval: 30m
url: https://ramblurr.github.io/crunchy-userinit-controller
timeout: 3m

7
kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrepository.yaml
- ./helmrelease.yaml

15
kubernetes/apps/database/cloudnative-pg/cluster/pgdump/externalsecret.yaml → kubernetes/apps/database/emqx/app/emqx/externalsecret.yaml
View File

@@ -3,23 +3,20 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: cloudnative-pg-postgres16-pgdump
namespace: default
name: emqx
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: cloudnative-pg-postgres16-pgdump-secret
name: emqx-secret
template:
engineVersion: v2
data:
# App
POSTGRES_HOST: postgres16-rw.database.svc.cluster.local
POSTGRES_USER: "{{ .POSTGRES_SUPER_USER }}"
POSTGRES_PASSWORD: "{{ .POSTGRES_SUPER_PASS }}"
POSTGRES_PORT: "5432"
admin_password: "{{ .password }}"
user_1_username: "{{ .EMQX_MQTT_USER }}"
user_1_password: "{{ .EMQX_MQTT_PASSWORD }}"
dataFrom:
- extract:
key: cloudnative-pg
key: emqx

83
kubernetes/apps/database/emqx/app/emqx/helmrelease.yaml Normal file
View File

@@ -0,0 +1,83 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: emqx
spec:
interval: 30m
chart:
spec:
chart: emqx
version: 5.8.4
sourceRef:
kind: HelmRepository
name: emqx
namespace: flux-system
maxHistory: 2
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
image:
repository: public.ecr.aws/emqx/emqx
replicaCount: 3
recreatePods: true
emqxConfig:
EMQX_ALLOW_ANONYMOUS: "false"
EMQX_AUTH__MNESIA__PASSWORD_HASH: plain
EMQX_DASHBOARD__DEFAULT_USERNAME: admin
service:
type: LoadBalancer
loadBalancerIP: ${CLUSTER_LB_EMQX}
externalTrafficPolicy: Local
ingress:
dashboard:
enabled: true
ingressClassName: internal
annotations:
hajimari.io/appName: "EMQX"
hajimari.io/icon: simple-icons:eclipsemosquitto
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Media
gethomepage.dev/name: EMQX
gethomepage.dev/icon: emqx.png
path: /
pathType: Prefix
hosts:
- &host "emqx.${SECRET_EXTERNAL_DOMAIN}"
tls:
- hosts:
- *host
metrics:
enabled: false
persistence:
enabled: true
storageClass: rook-ceph-block
size: 400Mi
resources:
requests:
cpu: 100m
memory: 150Mi
limits:
memory: 512Mi
valuesFrom:
- targetPath: emqxConfig.EMQX_DASHBOARD__DEFAULT_PASSWORD
kind: Secret
name: emqx-secret
valuesKey: admin_password
- targetPath: emqxConfig.EMQX_AUTH__USER__1__USERNAME
kind: Secret
name: emqx-secret
valuesKey: user_1_username
- targetPath: emqxConfig.EMQX_AUTH__USER__1__PASSWORD
kind: Secret
name: emqx-secret
valuesKey: user_1_password

2
kubernetes/apps/database/pgadmin/app/kustomization.yaml → kubernetes/apps/database/emqx/app/emqx/kustomization.yaml
View File

@@ -5,5 +5,3 @@ kind: Kustomization
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml
- ../../../../templates/gatus/guarded
- ../../../../templates/volsync

16
kubernetes/apps/database/pgadmin/ks.yaml → kubernetes/apps/database/emqx/ks.yaml
View File

@@ -1,24 +1,23 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app pgadmin
name: &app emqx
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/database/pgadmin/app
dependsOn:
- name: rook-ceph-cluster
- name: external-secrets-stores
path: ./kubernetes/apps/database/emqx/app
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: rook-ceph-cluster
- name: external-secrets-stores
- name: volsync
wait: false
interval: 30m
retryInterval: 1m
@@ -26,6 +25,3 @@ spec:
postBuild:
substitute:
APP: *app
VOLSYNC_CAPACITY: 2Gi
VOLSYNC_UID: "5050"
VOLSYNC_GID: "0"

4
kubernetes/apps/database/kustomization.yaml
View File

@@ -6,7 +6,7 @@ resources:
# Pre Flux-Kustomizations
- ./namespace.yaml
# Flux-Kustomizations
- ./cloudnative-pg/ks.yaml
- ./crunchy-postgres-operator/ks.yaml
- ./dragonfly/ks.yaml
- ./emqx/ks.yaml
- ./influx/ks.yaml
- ./pgadmin/ks.yaml

2
kubernetes/apps/database/namespace.yaml
View File

@@ -14,7 +14,7 @@ metadata:
namespace: database
spec:
type: alertmanager
address: http://kube-prometheus-stack-alertmanager.monitoring:9093/api/v2/alerts/
address: http://kube-prometheus-stack-alertmanager.observability:9093/api/v2/alerts/
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json
apiVersion: notification.toolkit.fluxcd.io/v1beta3

98
kubernetes/apps/database/pgadmin/app/helmrelease.yaml
View File

@@ -1,98 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app pgadmin
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.6.0
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 2
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
uninstall:
keepHistory: false
values:
annotations:
reloader.stakater.com/auto: "true"
secret.reloader.stakater.com/reload: authelia-secret
defaultPodOptions:
securityContext:
runAsUser: 5050
runAsGroup: 0
fsGroup: 0
fsGroupChangePolicy: OnRootMismatch
controllers:
pgadmin:
containers:
app:
image:
repository: dpage/pgadmin4
tag: 8.14@sha256:8a68677a97b8c8d1427dc915672a26d2c4a04376916a68256f53d669d6171be7
env:
PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION: "False"
envFrom:
- secretRef:
name: pgadmin-secret
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
memory: 500Mi
service:
app:
controller: *app
ports:
http:
port: 80
ingress:
app:
enabled: true
className: nginx
annotations:
hajimari.io/icon: mdi:database
gethomepage.dev/enabled: "true"
gethomepage.dev/name: pgAdmin
gethomepage.dev/description: PostgreSQL management tool.
gethomepage.dev/group: Infrrastructure
gethomepage.dev/icon: pgadmin.png
gethomepage.dev/pod-selector: >-
app in (
pgadmin
)
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
paths:
- path: /
service:
identifier: app
port: http
tls:
- hosts:
- *host
persistence:
config:
enabled: true
existingClaim: *app
globalMounts:
- path: /var/lib/pgadmin
sessions:
enabled: true
type: emptyDir
globalMounts:
- path: /var/lib/pgadmin/sessions