ab/homelab
1
0
Fork 1
Code Pull Requests Actions Packages Wiki Activity

Added psql

Browse Source
This commit is contained in:
Ultradesu
2025-04-06 01:04:30 +01:00
parent a7cf18563d
commit ac2cd72efa
10 changed files with 560 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
k8s/core/kubernetes-dashboard/kustomization.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- service-account.yaml
helmCharts:
- name: kubernetes-dashboard
repo: https://kubernetes.github.io/dashboard
version: 7.11.1
releaseName: authentik
namespace: authentik
valuesFile: values.yaml
includeCRDs: true

20
k8s/core/kubernetes-dashboard/service-account.yaml Normal file
View File

@ -0,0 +1,20 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard

22
k8s/core/kubernetes-dashboard/values.yaml Normal file
View File

@ -0,0 +1,22 @@
kong:
proxy:
http:
enabled: true
ingress:
enabled: true
ingressClassName: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt
acme.cert-manager.io/http01-edit-in-place: "true"
traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
hosts:
- host: master.hexor.cy
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: dashboard-tls
hosts:
- master.hexor.cy
service:
externalPort: 80

151
k8s/core/postgresql/external-secrets.yaml Normal file
View File

@ -0,0 +1,151 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: postgres-creds
namespace: psql
spec:
target:
name: postgres-secret
deletionPolicy: Delete
template:
type: Opaque
data:
PGADMIN_DEFAULT_EMAIL: |-
{{ .username }}
PGADMIN_DEFAULT_PASSWORD: |-
{{ .password }}
PGADMIN_CONFIG_OAUTH2_CONFIG: |-
[
{
'OAUTH2_NAME': 'Authentik',
'OAUTH2_DISPLAY_NAME': 'Authentik',
'OAUTH2_CLIENT_ID': '{{ .client_id }}',
'OAUTH2_CLIENT_SECRET': '{{ .client_secret }}',
'OAUTH2_TOKEN_URL': '{{ .pgadmin_url }}/application/o/token/',
'OAUTH2_AUTHORIZATION_URL': '{{ .pgadmin_url }}/application/o/authorize/',
'OAUTH2_SERVER_METADATA_URL': '{{ .pgadmin_url }}/application/o/pgadmin/.well-known/openid-configuration',
'OAUTH2_API_BASE_URL': '{{ .pgadmin_url }}',
'OAUTH2_USERINFO_ENDPOINT': '{{ .pgadmin_url }}/application/o/userinfo/',
'OAUTH2_SCOPE': 'openid profile email',
'OAUTH2_USERNAME_CLAIM': 'email',
'OAUTH2_BUTTON_COLOR': '#000000',
'OAUTH2_SSL_CERT_VERIFICATION': False,
'OAUTH2_LOGOUT_URL': '{{ .pgadmin_url }}/application/o/pgadmin/end-session/'
}
]
data:
- secretKey: username
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 832042b9-7edb-4f4c-9254-3c8884ba9733
property: login.username
- secretKey: password
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 832042b9-7edb-4f4c-9254-3c8884ba9733
property: login.password
- secretKey: client_id
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 832042b9-7edb-4f4c-9254-3c8884ba9733
property: fields[0].value
- secretKey: client_secret
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 832042b9-7edb-4f4c-9254-3c8884ba9733
property: fields[1].value
- secretKey: pgadmin_url
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 832042b9-7edb-4f4c-9254-3c8884ba9733
property: fields[2].value
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: postgres-users
namespace: psql
spec:
target:
name: postgres-users
deletionPolicy: Delete
template:
type: Opaque
data:
USER_authentik: |-
{{ .authentik }}
USER_paperless: |-
{{ .paperless }}
USER_nextcloud: |-
{{ .nextcloud }}
USER_outfleet: |-
{{ .outfleet }}
USER_grafana: |-
{{ .grafana }}
USER_khm: |-
{{ .khm }}
data:
- secretKey: authentik
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 2a9deb39-ef22-433e-a1be-df1555625e22
property: fields[0].value
- secretKey: outfleet
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 2a9deb39-ef22-433e-a1be-df1555625e22
property: fields[1].value
- secretKey: grafana
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 2a9deb39-ef22-433e-a1be-df1555625e22
property: fields[2].value
- secretKey: khm
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 2a9deb39-ef22-433e-a1be-df1555625e22
property: fields[3].value
- secretKey: nextcloud
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 2a9deb39-ef22-433e-a1be-df1555625e22
property: fields[4].value
- secretKey: paperless
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 2a9deb39-ef22-433e-a1be-df1555625e22
property: fields[5].value

18
k8s/core/postgresql/kustomization.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- external-secrets.yaml
- main-db.yaml
- nas-db.yaml
helmCharts:
- name: pgmanager
repo: https://helm.runix.net
version: 1.37.0
releaseName: pgadmin4
namespace: psql
valuesFile: values.yaml
includeCRDs: true

152
k8s/core/postgresql/main-db.yaml Normal file
View File

@ -0,0 +1,152 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: psql
namespace: psql
labels:
app: psql
app.kubernetes.io/name: psql
reloader.stakater.com/auto: "true"
spec:
selector:
matchLabels:
app: psql
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
app: psql
spec:
nodeSelector:
kubernetes.io/hostname: master.tail2fe2d.ts.net
volumes:
- name: storage
hostPath:
path: /k8s/psql
type: DirectoryOrCreate
containers:
- name: psql
image: 'bitnami/postgresql:17'
env:
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-secret
key: PGADMIN_DEFAULT_PASSWORD
# command:
# - pg_resetwal
# - /bitnami/postgresql/data
ports:
- name: http
containerPort: 5432
protocol: TCP
volumeMounts:
- name: storage
mountPath: /bitnami/postgresql
- name: psql-exporter
image: 'quay.io/prometheuscommunity/postgres-exporter:latest'
env:
- name: DATA_SOURCE_URI
value: "localhost:5432/postgres?sslmode=disable"
- name: DATA_SOURCE_USER
value: "postgres"
- name: DATA_SOURCE_PASS
valueFrom:
secretKeyRef:
name: postgres-secret
key: PGADMIN_DEFAULT_PASSWORD
ports:
- name: metrics
containerPort: 9187
protocol: TCP
- name: user-creation
image: 'bitnami/postgresql:17'
command:
- /bin/bash
- -c
- |
until pg_isready -h 127.0.0.1 -p 5432 -U postgres; do
echo "Waiting for database to be ready..."
sleep 2
done
for var in $(printenv | grep "^USER_" | awk -F '=' '{print $1}'); do
USERNAME=${var#"USER_"}
PASSWORD=$(printenv "$var")
echo "Creating user $USERNAME"
psql -h 127.0.0.1 -p 5432 -U postgres -d postgres -c "CREATE USER $USERNAME WITH PASSWORD '$PASSWORD';"
echo "Creating database $USERNAME"
psql -h 127.0.0.1 -p 5432 -U postgres -d postgres -c "CREATE DATABASE $USERNAME WITH OWNER = $USERNAME ENCODING = 'UTF8';"
done
echo All done
tail -f /dev/null
envFrom:
- secretRef:
name: postgres-users
env:
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: postgres-secret
key: PGADMIN_DEFAULT_PASSWORD
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: psql-monitor
namespace: psql
spec:
endpoints:
- interval: 30s
#metricRelabelings:
#- action: keep
# regex: lm-api
# sourceLabels:
# - service
#- action: replace
# replacement: "true"
# targetLabel: global
path: /metrics
port: metrics
scheme: http
namespaceSelector:
matchNames:
- psql
selector:
matchLabels:
app: psql
---
apiVersion: v1
kind: Service
metadata:
name: psql
namespace: psql
spec:
selector:
app: psql
ports:
- protocol: TCP
port: 5432
targetPort: 5432
---
apiVersion: v1
kind: Service
metadata:
name: psql-exporter
namespace: psql
labels:
app.kubernetes.io/name: psql-exporter
spec:
selector:
app: psql
ports:
- protocol: TCP
name: metrics
port: 9187
targetPort: 9187

106
k8s/core/postgresql/nas-db.yaml Normal file
View File

@ -0,0 +1,106 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: psql-nas
namespace: psql
labels:
app: psql-nas
app.kubernetes.io/name: psql-nas
reloader.stakater.com/auto: "true"
spec:
selector:
matchLabels:
app: psql-nas
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
app: psql-nas
spec:
nodeSelector:
kubernetes.io/hostname: nas.tail2fe2d.ts.net
volumes:
- name: storage
hostPath:
path: /mnt/storage/Storage/k8s/psql
type: DirectoryOrCreate
containers:
- name: psql
image: 'bitnami/postgresql:17'
env:
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-secret
key: PGADMIN_DEFAULT_PASSWORD
ports:
- name: http
containerPort: 5432
protocol: TCP
volumeMounts:
- name: storage
mountPath: /bitnami/postgresql
- name: psql-exporter
image: 'quay.io/prometheuscommunity/postgres-exporter:latest'
env:
- name: DATA_SOURCE_URI
value: "localhost:5432/postgres?sslmode=disable"
- name: DATA_SOURCE_USER
value: "postgres"
- name: DATA_SOURCE_PASS
valueFrom:
secretKeyRef:
name: postgres-secret
key: PGADMIN_DEFAULT_PASSWORD
ports:
- name: metrics
containerPort: 9187
protocol: TCP
- name: user-creation
image: 'bitnami/postgresql:17'
command:
- /bin/bash
- -c
- |
until pg_isready -h 127.0.0.1 -p 5432 -U postgres; do
echo "Waiting for database to be ready..."
sleep 2
done
for var in $(printenv | grep "^USER_" | awk -F '=' '{print $1}'); do
USERNAME=${var#"USER_"}
PASSWORD=$(printenv "$var")
echo "Creating user $USERNAME"
psql -h 127.0.0.1 -p 5432 -U postgres -d postgres -c "CREATE USER $USERNAME WITH PASSWORD '$PASSWORD';"
echo "Creating database $USERNAME"
psql -h 127.0.0.1 -p 5432 -U postgres -d postgres -c "CREATE DATABASE $USERNAME WITH OWNER = $USERNAME ENCODING = 'UTF8';"
done
echo All done
tail -f /dev/null
envFrom:
- secretRef:
name: postgres-users
env:
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: postgres-secret
key: PGADMIN_DEFAULT_PASSWORD
---
apiVersion: v1
kind: Service
metadata:
name: psql-nas
namespace: psql
spec:
selector:
app: psql-nas
ports:
- protocol: TCP
port: 5432
targetPort: 5432

34
k8s/core/postgresql/values.yaml Normal file
View File

@ -0,0 +1,34 @@
image:
tag: "9"
pullPolicy: Always
env:
email: "postgres@hexor.cy"
envVarsFromSecrets: [postgres-secret]
envVarsExtra:
- name: PGADMIN_CONFIG_AUTHENTICATION_SOURCES
value: "['oauth2']"
- name: PGADMIN_CONFIG_OAUTH2_NAME
value: '"Authentik"'
- name: PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER
value: "True"
- name: PGADMIN_CONFIG_OAUTH2_USERNAME_CLAIM
value: '"email"'
existingSecret: "postgres-secret"
secretKeys:
pgadminPasswordKey: PGADMIN_DEFAULT_PASSWORD
ingress:
enabled: true
ingressClassName: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt
acme.cert-manager.io/http01-edit-in-place: "true"
traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
hosts:
- host: pg.hexor.cy
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: pgadmin-tls
hosts:
- pg.hexor.cy

21
k8s/state/core/k8s-dashboard.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kubernetes-dashboard
namespace: argocd
spec:
project: homelab
destination:
namespace: kubernetes-dashboard
server: https://kubernetes.default.svc
source:
repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
targetRevision: HEAD
path: k8s/core/kubernetes-dashboard
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

21
k8s/state/core/postgresql.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: postgresql
namespace: argocd
spec:
project: homelab
destination:
namespace: postgresql
server: https://kubernetes.default.svc
source:
repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
targetRevision: HEAD
path: k8s/core/postgresql
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true