♻️ flux kustomizations

kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml

@@ -0,0 +1,51 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgres
+  namespace: default
+  annotations:
+    kyverno.io/ignore: "true"
+spec:
+  instances: 3
+  primaryUpdateStrategy: unsupervised
+  storage:
+    size: 20Gi
+    storageClass: rook-ceph-block
+  superuserSecret:
+    name: postgres-superuser
+  monitoring:
+    enablePodMonitor: true
+  backup:
+    retentionPolicy: 30d
+    barmanObjectStore:
+      wal:
+        compression: bzip2
+        maxParallel: 8
+      destinationPath: s3://postgresql/
+      endpointURL: https://truenas.${SECRET_DOMAIN}:51515
+      serverName: postgres-v4
+      s3Credentials:
+        accessKeyId:
+          name: postgres-minio
+          key: MINIO_ACCESS_KEY
+        secretAccessKey:
+          name: postgres-minio
+          key: MINIO_SECRET_KEY
+  # bootstrap:
+  #   recovery:
+  #     source: postgres
+  # externalClusters:
+  #   - name: postgres
+  #     barmanObjectStore:
+  #       destinationPath: s3://postgresql/
+  #       endpointURL: https://truenas.${SECRET_DOMAIN}:51515
+  #       s3Credentials:
+  #         accessKeyId:
+  #           name: postgres-minio
+  #           key: MINIO_ACCESS_KEY
+  #         secretAccessKey:
+  #           name: postgres-minio
+  #           key: MINIO_SECRET_KEY
+  #       wal:
+  #         maxParallel: 8

kubernetes/apps/default/cloudnative-pg/cluster/external-backup/00-webhook

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+set -e
+
+# Possible actions: error, pre-backup, post-backup
+ACTION="$1"
+
+if [ "$WEBHOOK_URL" != "**None**" ]; then
+  case "$ACTION" in
+    "error")
+      echo "Execute error webhook call to $WEBHOOK_URL"
+      curl --url "$WEBHOOK_URL" \
+        --header 'Content-Type: application/json' \
+        --max-time 10 \
+        --retry 5 \
+        $WEBHOOK_EXTRA_ARGS
+      ;;
+#   "pre-backup")
+#     echo "Nothing to do"
+#     ;;
+    "post-backup")
+      echo "Execute post-backup webhook call to $WEBHOOK_URL"
+      curl --url "$WEBHOOK_URL" \
+        --header 'Content-Type: application/json' \
+        --max-time 10 \
+        --retry 5 \
+        $WEBHOOK_EXTRA_ARGS
+      ;;
+  esac
+fi

kubernetes/apps/default/cloudnative-pg/cluster/external-backup/cronjob.yaml

@@ -0,0 +1,62 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: &app cloudnative-pg-external-backup
+  namespace: default
+spec:
+  schedule: "@daily"
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 86400
+      template:
+        spec:
+          automountServiceAccountToken: false
+          restartPolicy: OnFailure
+          containers:
+            - name: *app
+              image: prodrigestivill/postgres-backup-local:15-alpine@sha256:1209779d7b39a9f73d498091452051fedfe140252bff59ea1c42e0a9a8a9b8e0
+              env:
+                - name: POSTGRES_HOST
+                  value: ${POSTGRES_HOST}
+                - name: POSTGRES_DB
+                  value: "authelia,drone,freshrss,gitea,invidious,joplin,lychee,paperless,recipes,sharry,outline,vaultwarden,vikunja,wallabag"
+                - name: POSTGRES_USER
+                  valueFrom:
+                    secretKeyRef:
+                      name: postgres-superuser
+                      key: username
+                - name: POSTGRES_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: postgres-superuser
+                      key: password
+                - name: POSTGRES_EXTRA_OPTS
+                  value: "-Z9 --schema=public --blobs"
+                - name: BACKUP_KEEP_DAYS
+                  value: "7"
+                - name: BACKUP_KEEP_WEEKS
+                  value: "4"
+                - name: BACKUP_KEEP_MONTHS
+                  value: "3"
+                - name: HEALTHCHECK_PORT
+                  value: "8080"
+                - name: WEBHOOK_URL
+                  value: https://uptime-kuma.${SECRET_CLUSTER_DOMAIN}/api/push/45cHKtahUg?status=up&msg=OK&ping=
+              command:
+                - "/backup.sh"
+              volumeMounts:
+                - name: backups
+                  mountPath: /backups
+                - name: files
+                  subPath: 00-webhook
+                  mountPath: /hooks/00-webhook
+          volumes:
+            - name: backups
+              nfs:
+                server: "${LOCAL_LAN_TRUENAS}"
+                path: /mnt/storage/backups/postgresql
+            - name: files
+              configMap:
+                name: postgres-external-backup
+                defaultMode: 0555

kubernetes/apps/default/cloudnative-pg/cluster/external-backup/kustomization.yaml

@@ -0,0 +1,13 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./cronjob.yaml
+configMapGenerator:
+  - name: postgres-external-backup
+    files:
+      - ./00-webhook
+generatorOptions:
+  disableNameSuffixHash: true

kubernetes/apps/default/cloudnative-pg/cluster/kustomization.yaml

@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./cluster.yaml
+  - ./external-backup
+  - ./secret.sops.yaml
+  - ./scheduledbackup.yaml

kubernetes/apps/default/cloudnative-pg/cluster/scheduledbackup.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: postgres
+  namespace: default
+spec:
+  schedule: "@daily"
+  immediate: true
+  backupOwnerReference: self
+  cluster:
+    name: postgres

kubernetes/apps/default/cloudnative-pg/cluster/secret.sops.yaml

@@ -0,0 +1,31 @@
+kind: Secret
+apiVersion: v1
+type: Opaque
+metadata:
+    name: postgres-minio
+    namespace: default
+    labels:
+        k8s.enterprisedb.io/reload: "true"
+stringData:
+    MINIO_ACCESS_KEY: ENC[AES256_GCM,data:lEOKspQaoN5FxOGSnpQuTAzzHrI=,iv:VJQAWK8Sia/wL4iAdpir5fJxBLP1fDQWqj5pBDO6x/g=,tag:5Jf612CStm7NcW1YdrOq1A==,type:str]
+    MINIO_SECRET_KEY: ENC[AES256_GCM,data:Saad8zdhNfJdCDM/3cwVAtp/Cx8F0R4AFERJA3xT7ZC7M0GptDVaGg==,iv:DnmbB6VCRa2itDLAYwGL3LkTBQlf4sVwu1O5+ZmuukQ=,tag:fG6XMj/rC3moGKVZJn9PBA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQand1M1U2SytHclJSN1I3
+            NzdvdjZMQnJPSW9GUXo1SkZ1elRVY1NvK0FJClpiVk9JVWxHSlIwSXZDSWRoOXI4
+            YkxVeDR5V09OTS92YmpMeUl2a1QyRlUKLS0tIG9iNGJlaDQ3UW1uelFla0cySXRC
+            SzhQOGRzNnYzcEVjVG0rOUt1T1ZJQkkKtbXybUgBFr69GvBmo8+7J1xrtxJ7y1wo
+            ZhV6dzuxc2QSd3o9A6f9J/wg9DHtBHviK5nP0K/edHth9darJw/3Eg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-10-25T23:37:42Z"
+    mac: ENC[AES256_GCM,data:VZ5+kUZsCJxiWV7JS+Enhi0yNJ6m+Oi5IurYNxI0gb2+CqENqn4uvOSNMgKTZAc3d/stuI5OGdBbRJo0aBu0hZ950cgbGV6gfEbzzTO9HRstgAwqnEZHj6DPRLcXkCs0jP1p2p0WICe2HZ113C2aN3MjP47J1Jau3yaJlGOsOuU=,iv:EaxUx+ivqYgBm1wUXsCscoJt7x6+3pSM0QZY8h9eI6U=,tag:Q5ix3VW7C2rgm2R3AMDuDA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3