initial commit

Author: Yannic Nevado

Readme.md

@@ -0,0 +1,86 @@
+# Custom Postgres Operator
+
+This repository contains a custom setup for an [HA](https://www.postgresql.org/docs/current/high-availability.html) [Postgres](https://www.postgresql.org/) cluster, based on [Postgres Operator](https://github.com/zalando/postgres-operator) from [Patroni](https://github.com/zalando/spilo).
+
+The Cluster runs on an [K8s](https://kubernetes.io/) Cluster which is managed by [Rancher](https://rancher.com/) and hosted at the infrastructure of Proventa AG.
+
+
+## Setup on K8s cluster(Rancher) 
+
+* *Projectname:* zalando-postgres
+* *Namespace:* zalando-postgres
+* 3 Nodes
+* *LoadBalancer:* [Metallb](https://metallb.universe.tf)
+  * access actual Postgres master over external-IP and specified port
+  * required VPN connection!!
+
+## Installation
+
+The installation will be executed by applying manifests in a specific order, based on the operator installation from patroni. The setup is deployed to an specific namespace  named *zalando-postgres* which must be ceated on the K8s cluster. You also can setup the operator(+Postgres cluster) with Helm chart or Operator Lifecycle Manager.
+(fyi: you can also set the current-context for kubectl, here ns=zalando-postgres for example)
+
+### Create the operator
+
+```shell
+# operator configuration
+$ kubectl create -f manifests/configmap.yaml --namespace zalando-postgres
+# identity and permissions
+$ kubectl create -f manifests/operator-service-account-rbac.yaml --namespace zalando-postgres
+# deploy operator to K8s
+$ kubectl create -f manifests/postgres-operator.yaml --namespace zalando-postgres
+```
+
+### Check operator status
+
+* get all pods in the `namespace zalando-postgres` with the operator label `name=postgres-operator`
+
+```shell
+$ kubectl get pod -l name=postgres-operator --namespace zalando-postgres
+```
+
+### Create Postgres cluster
+
+* create a Postgres cluster from [postgres manifest](manifest/minimal-postgres-manifest.yml) with the specified values, like databases, users and *postgresql.conf* parameters
+
+```shell
+$ kubectl create -f manifests/minimal-postgres-manifest.yaml --namespace zalando-postgres
+```
+
+### Check Postgres cluster status
+
+```shell
+# check the deployed cluster
+$ kubectl get postgresql
+# check created database pods with spilo-role (master, replica)
+$ kubectl get pods -l application=spilo -L spilo-role --namespace zalando-postgres
+# check created service resources and get ext. loadbalancer ip and port
+$ kubectl get svc -l application=spilo -L spilo-role --namespace zalando-postgres
+```
+
+### Update Postgres cluster
+
+You can update the Postgres cluster with the *manifest file* or directly with *psql-client*.
+
+* After editting Postgres cluster file apply the modified configuration
+  * `kubectl get svc -l application=spilo -L spilo-role --namespace zalando-postgres`
+* Restart(Reload?) Patroni
+  * `kubectl exec -i <Pod-Name> supervisorctl restart patroni --namespace zalando-postgres`
+
+### Connect to Postgres master
+
+* required `pg_hba.conf` entry for the external LoadBalancer IP
+
+```shell
+$ psql -h <LoadBalancer-IP> -p <LoadBalancer-Port>  -d <databasename> -U <databaseuser>
+```
+
+* connect directly from shell in Rancher
+
+```shell
+$ psql -d <databasename> -U <databaseuser>
+```
+
+## Referenced
+
+* [Patroni Postgres Operator](https://github.com/zalando/postgres-operator)
+  * [Documentation](https://postgres-operator.readthedocs.io/en/latest/)

manifests/Readme.md

@@ -0,0 +1 @@
+# Manifest Files

manifests/complete-postgres-manifest.yaml

@@ -0,0 +1,94 @@
+apiVersion: "acid.zalan.do/v1"
+kind: postgresql
+metadata:
+  name: acid-test-cluster
+#  labels:
+#    environment: demo
+spec:
+  dockerImage: registry.opensource.zalan.do/acid/spilo-11:1.6-p1
+  initContainers:
+  - name: date
+    image: busybox
+    command: [ "/bin/date" ]
+  teamId: "ACID"
+  volume:
+    size: 1Gi
+#   storageClass: my-sc
+  numberOfInstances: 2
+  users:  # Application/Robot users
+    zalando:
+    - superuser
+    - createdb
+  enableMasterLoadBalancer: true
+  enableReplicaLoadBalancer: true
+  allowedSourceRanges:  # load balancers' source ranges for both master and replica services
+  - 127.0.0.1/32
+  databases:
+    foo: zalando
+
+# Expert section
+
+  enableShmVolume: true
+# spiloFSGroup: 103
+  postgresql:
+    version: "11"
+    parameters:
+      shared_buffers: "32MB"
+      max_connections: "10"
+      log_statement: "all"
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+    limits:
+      cpu: 300m
+      memory: 300Mi
+  patroni:
+    initdb:
+      encoding: "UTF8"
+      locale: "en_US.UTF-8"
+      data-checksums: "true"
+    pg_hba:
+    - hostssl all all 0.0.0.0/0 md5
+    - host    all all 0.0.0.0/0 md5
+#   slots:
+#     - permanent_physical_1:
+#         type: physical
+#     - permanent_logical_1:
+#         type: logical
+#         database: foo
+#         plugin: pgoutput
+    ttl: 30
+    loop_wait: &loop_wait 10
+    retry_timeout: 10
+    maximum_lag_on_failover: 33554432
+# restore a Postgres DB with point-in-time-recovery
+# with a non-empty timestamp, clone from an S3 bucket using the latest backup before the timestamp
+# with an empty/absent timestamp, clone from an existing alive cluster using pg_basebackup
+# clone:
+#   uid: "efd12e58-5786-11e8-b5a7-06148230260c"
+#   cluster: "acid-batman"
+#   timestamp: "2017-12-19T12:40:33+01:00"  # timezone required (offset relative to UTC, see RFC 3339 section 5.6)
+#   s3_wal_path: "s3://custom/path/to/bucket"
+
+# run periodic backups with k8s cron jobs
+  enableLogicalBackup: true
+  logicalBackupSchedule: "30 00 * * *"
+  s3_access_key_id: "production_volume_backup"
+  s3_secret_access_key: "qXQzlfeXop8MhCd9oP5H"
+  maintenanceWindows:
+  - 01:00-06:00  #UTC
+  - Sat:00:00-04:00
+# sidecars:
+#   - name: "telegraf-sidecar"
+#     image: "telegraf:latest"
+#     resources:
+#       limits:
+#         cpu: 500m
+#         memory: 500Mi
+#       requests:
+#         cpu: 100m
+#         memory: 100Mi
+#      env:
+#        - name: "USEFUL_VAR"
+#          value: "perhaps-true"

manifests/configmap.yaml

@@ -0,0 +1,80 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-operator
+data:
+  # additional_secret_mount: "some-secret-name"
+  # additional_secret_mount_path: "/some/dir"
+  api_port: "8080"
+  aws_region: eu-central-1
+  cluster_domain: cluster.local
+  cluster_history_entries: "1000"
+  cluster_labels: application:spilo
+  cluster_name_label: version
+  # custom_service_annotations:
+  #   "keyx:valuez,keya:valuea"
+  db_hosted_zone: db.example.com
+  debug_logging: "true"
+  # default_cpu_limit: "3"
+  # default_cpu_request: 100m
+  # default_memory_limit: 1Gi
+  # default_memory_request: 100Mi
+  docker_image: registry.opensource.zalan.do/acid/spilo-11:1.6-p1
+  # enable_admin_role_for_users: "true"
+  # enable_database_access: "true"
+  enable_master_load_balancer: "true"
+  # enable_pod_antiaffinity: "false"
+  # enable_pod_disruption_budget: "true"
+  enable_replica_load_balancer: "false"
+  # enable_shm_volume: "true"
+  # enable_team_superuser: "false"
+  enable_teams_api: "false"
+  # etcd_host: ""
+  # infrastructure_roles_secret_name: postgresql-infrastructure-roles
+  # inherited_labels: application,environment
+  # kube_iam_role: ""
+  # log_s3_bucket: ""
+  # logical_backup_docker_image: "registry.opensource.zalan.do/acid/logical-backup"
+  # logical_backup_s3_bucket: "my-bucket-url"
+  # logical_backup_schedule: "30 00 * * *"
+  master_dns_name_format: '{cluster}.{team}.staging.{hostedzone}'
+  # master_pod_move_timeout: 10m
+  # max_instances: "-1"
+  # min_instances: "-1"
+  # node_readiness_label: ""
+  # oauth_token_secret_name: postgresql-operator
+  # pam_configuration: |
+  #  https://info.example.com/oauth2/tokeninfo?access_token= uid realm=/employees
+  # pam_role_name: zalandos
+  pdb_name_format: "postgres-{cluster}-pdb"
+  # pod_antiaffinity_topology_key: "kubernetes.io/hostname"
+  pod_deletion_wait_timeout: 10m
+  # pod_environment_configmap: ""
+  pod_label_wait_timeout: 10m
+  pod_management_policy: "ordered_ready"
+  pod_role_label: spilo-role
+  pod_service_account_name: "zalando-postgres-operator"
+  pod_terminate_grace_period: 5m
+  # postgres_superuser_teams: "postgres_superusers"
+  # protected_role_names: "admin"
+  ready_wait_interval: 3s
+  ready_wait_timeout: 30s
+  repair_period: 5m
+  replica_dns_name_format: '{cluster}-repl.{team}.staging.{hostedzone}'
+  replication_username: standby
+  resource_check_interval: 3s
+  resource_check_timeout: 10m
+  resync_period: 5m
+  ring_log_lines: "100"
+  secret_name_template: '{username}.{cluster}.credentials'
+  # sidecar_docker_images: ""
+  # set_memory_request_to_limit: "false"
+  spilo_privileged: "false"
+  super_username: postgres
+  # team_admin_role: "admin"
+  # team_api_role_configuration: "log_statement:all"
+  # teams_api_url: http://fake-teams-api.default.svc.cluster.local
+  # toleration: ""
+  # wal_s3_bucket: ""
+  watched_namespace: "*"  # listen to all namespaces
+  workers: "4"

manifests/fake-teams-api.yaml

@@ -0,0 +1,44 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: fake-teams-api
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        name: fake-teams-api
+    spec:
+      containers:
+      - name: fake-teams-api
+        image: ikitiki/fake-teams-api:latest
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: fake-teams-api
+spec:
+  selector:
+    name: fake-teams-api
+  ports:
+  - name: server
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  type: NodePort
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgresql-operator
+  namespace: default
+type: Opaque
+data:
+apiVersion: v1
+data:
+  read-only-token-secret: dGVzdHRva2Vu
+  read-only-token-type: QmVhcmVy

manifests/infrastructure-roles-configmap.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgresql-infrastructure-roles
+data:
+  batman: |
+    inrole: [admin]  # following roles will be assigned to the new user
+    user_flags:
+      - createdb
+    db_parameters:  # db parameters, applyed for this particular user
+      log_statement: all

manifests/infrastructure-roles.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+  # required format (w/o quotes): 'propertyNumber: value'
+  # allowed properties: 'user', 'password', 'inrole'
+  # numbers >= 1 are mandatory
+  # alternatively, supply the user: password pairs and
+  # provide other options in the configmap.
+  # robot_zmon_acid_monitoring
+  user1: cm9ib3Rfem1vbl9hY2lkX21vbml0b3Jpbmc=
+  # robot_zmon
+  inrole1: cm9ib3Rfem1vbg==
+  # testuser
+  user2: dGVzdHVzZXI=
+  # foobar
+  password2: Zm9vYmFy
+  # user batman with the password justice
+  # look for other fields in the infrastructure roles configmap
+  batman: anVzdGljZQ==
+kind: Secret
+metadata:
+  name: postgresql-infrastructure-roles
+  namespace: default
+type: Opaque

manifests/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- configmap.yaml
+- operator-service-account-rbac.yaml
+- postgres-operator.yaml

manifests/minimal-postgres-manifest.yaml

@@ -0,0 +1,36 @@
+apiVersion: "acid.zalan.do/v1"
+kind: postgresql
+metadata:
+  name: acid-minimal-cluster
+  namespace: zalando-postgres
+spec:
+  teamId: "ACID"
+  volume:
+    size: 1Gi
+  numberOfInstances: 3
+  users:
+    zalando:  # database owner
+    - superuser
+    - createdb
+    foo_user: []  # role for application foo
+  databases:
+    foo: zalando  # dbname: owner
+    test: zalando
+    test2: zalando
+  postgresql:
+    version: "11"
+    parameters:
+      shared_buffers: "128MB"
+      max_connections: "10"
+      log_statement: "all"
+      log_destination: "stderr"
+      log_directory: "/var/log/postgresql"
+  patroni:
+    initdb:
+      encoding: "UTF8"
+      locale: "de_DE.UTF-8"
+      data-checksums: "true"
+    pg_hba:
+    - hostssl all all 0.0.0.0/0 md5
+    - host    all all 0.0.0.0/0 md5
+    - host    all zalando 192.168.232.109/24 md5