From ac2cd72efa83edd06ded2c6f01a6018100cfc645 Mon Sep 17 00:00:00 2001 From: Ultradesu Date: Sun, 6 Apr 2025 01:04:30 +0100 Subject: [PATCH] Added psql --- .../kubernetes-dashboard/kustomization.yaml | 15 ++ .../kubernetes-dashboard/service-account.yaml | 20 +++ k8s/core/kubernetes-dashboard/values.yaml | 22 +++ k8s/core/postgresql/external-secrets.yaml | 151 +++++++++++++++++ k8s/core/postgresql/kustomization.yaml | 18 +++ k8s/core/postgresql/main-db.yaml | 152 ++++++++++++++++++ k8s/core/postgresql/nas-db.yaml | 106 ++++++++++++ k8s/core/postgresql/values.yaml | 34 ++++ k8s/state/core/k8s-dashboard.yaml | 21 +++ k8s/state/core/postgresql.yaml | 21 +++ 10 files changed, 560 insertions(+) create mode 100644 k8s/core/kubernetes-dashboard/kustomization.yaml create mode 100644 k8s/core/kubernetes-dashboard/service-account.yaml create mode 100644 k8s/core/kubernetes-dashboard/values.yaml create mode 100644 k8s/core/postgresql/external-secrets.yaml create mode 100644 k8s/core/postgresql/kustomization.yaml create mode 100644 k8s/core/postgresql/main-db.yaml create mode 100644 k8s/core/postgresql/nas-db.yaml create mode 100644 k8s/core/postgresql/values.yaml create mode 100644 k8s/state/core/k8s-dashboard.yaml create mode 100644 k8s/state/core/postgresql.yaml diff --git a/k8s/core/kubernetes-dashboard/kustomization.yaml b/k8s/core/kubernetes-dashboard/kustomization.yaml new file mode 100644 index 0000000..69ec232 --- /dev/null +++ b/k8s/core/kubernetes-dashboard/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - service-account.yaml + +helmCharts: + - name: kubernetes-dashboard + repo: https://kubernetes.github.io/dashboard + version: 7.11.1 + releaseName: authentik + namespace: authentik + valuesFile: values.yaml + includeCRDs: true + diff --git a/k8s/core/kubernetes-dashboard/service-account.yaml b/k8s/core/kubernetes-dashboard/service-account.yaml new file mode 100644 index 0000000..45d2be0 --- /dev/null +++ b/k8s/core/kubernetes-dashboard/service-account.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubernetes-dashboard + namespace: kubernetes-dashboard +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard + diff --git a/k8s/core/kubernetes-dashboard/values.yaml b/k8s/core/kubernetes-dashboard/values.yaml new file mode 100644 index 0000000..d6118e0 --- /dev/null +++ b/k8s/core/kubernetes-dashboard/values.yaml @@ -0,0 +1,22 @@ +kong: + proxy: + http: + enabled: true +ingress: + enabled: true + ingressClassName: traefik + annotations: + cert-manager.io/cluster-issuer: letsencrypt + acme.cert-manager.io/http01-edit-in-place: "true" + traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd + hosts: + - host: master.hexor.cy + paths: + - path: / + pathType: ImplementationSpecific + tls: + - secretName: dashboard-tls + hosts: + - master.hexor.cy +service: + externalPort: 80 diff --git a/k8s/core/postgresql/external-secrets.yaml b/k8s/core/postgresql/external-secrets.yaml new file mode 100644 index 0000000..6edae6d --- /dev/null +++ b/k8s/core/postgresql/external-secrets.yaml @@ -0,0 +1,151 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: postgres-creds + namespace: psql +spec: + target: + name: postgres-secret + deletionPolicy: Delete + template: + type: Opaque + data: + PGADMIN_DEFAULT_EMAIL: |- + {{ .username }} + PGADMIN_DEFAULT_PASSWORD: |- + {{ .password }} + PGADMIN_CONFIG_OAUTH2_CONFIG: |- + [ + { + 'OAUTH2_NAME': 'Authentik', + 'OAUTH2_DISPLAY_NAME': 'Authentik', + 'OAUTH2_CLIENT_ID': '{{ .client_id }}', + 'OAUTH2_CLIENT_SECRET': '{{ .client_secret }}', + 'OAUTH2_TOKEN_URL': '{{ .pgadmin_url }}/application/o/token/', + 'OAUTH2_AUTHORIZATION_URL': '{{ .pgadmin_url }}/application/o/authorize/', + 'OAUTH2_SERVER_METADATA_URL': '{{ .pgadmin_url }}/application/o/pgadmin/.well-known/openid-configuration', + 'OAUTH2_API_BASE_URL': '{{ .pgadmin_url }}', + 'OAUTH2_USERINFO_ENDPOINT': '{{ .pgadmin_url }}/application/o/userinfo/', + 'OAUTH2_SCOPE': 'openid profile email', + 'OAUTH2_USERNAME_CLAIM': 'email', + 'OAUTH2_BUTTON_COLOR': '#000000', + 'OAUTH2_SSL_CERT_VERIFICATION': False, + 'OAUTH2_LOGOUT_URL': '{{ .pgadmin_url }}/application/o/pgadmin/end-session/' + } + ] + data: + - secretKey: username + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 832042b9-7edb-4f4c-9254-3c8884ba9733 + property: login.username + - secretKey: password + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 832042b9-7edb-4f4c-9254-3c8884ba9733 + property: login.password + - secretKey: client_id + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 832042b9-7edb-4f4c-9254-3c8884ba9733 + property: fields[0].value + - secretKey: client_secret + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 832042b9-7edb-4f4c-9254-3c8884ba9733 + property: fields[1].value + - secretKey: pgadmin_url + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 832042b9-7edb-4f4c-9254-3c8884ba9733 + property: fields[2].value +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: postgres-users + namespace: psql +spec: + target: + name: postgres-users + deletionPolicy: Delete + template: + type: Opaque + data: + USER_authentik: |- + {{ .authentik }} + USER_paperless: |- + {{ .paperless }} + USER_nextcloud: |- + {{ .nextcloud }} + USER_outfleet: |- + {{ .outfleet }} + USER_grafana: |- + {{ .grafana }} + USER_khm: |- + {{ .khm }} + data: + - secretKey: authentik + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 2a9deb39-ef22-433e-a1be-df1555625e22 + property: fields[0].value + - secretKey: outfleet + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 2a9deb39-ef22-433e-a1be-df1555625e22 + property: fields[1].value + - secretKey: grafana + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 2a9deb39-ef22-433e-a1be-df1555625e22 + property: fields[2].value + - secretKey: khm + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 2a9deb39-ef22-433e-a1be-df1555625e22 + property: fields[3].value + - secretKey: nextcloud + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 2a9deb39-ef22-433e-a1be-df1555625e22 + property: fields[4].value + - secretKey: paperless + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 2a9deb39-ef22-433e-a1be-df1555625e22 + property: fields[5].value diff --git a/k8s/core/postgresql/kustomization.yaml b/k8s/core/postgresql/kustomization.yaml new file mode 100644 index 0000000..a3c97cc --- /dev/null +++ b/k8s/core/postgresql/kustomization.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - external-secrets.yaml + - main-db.yaml + - nas-db.yaml + + +helmCharts: + - name: pgmanager + repo: https://helm.runix.net + version: 1.37.0 + releaseName: pgadmin4 + namespace: psql + valuesFile: values.yaml + includeCRDs: true + diff --git a/k8s/core/postgresql/main-db.yaml b/k8s/core/postgresql/main-db.yaml new file mode 100644 index 0000000..b425539 --- /dev/null +++ b/k8s/core/postgresql/main-db.yaml @@ -0,0 +1,152 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: psql + namespace: psql + labels: + app: psql + app.kubernetes.io/name: psql + reloader.stakater.com/auto: "true" +spec: + selector: + matchLabels: + app: psql + replicas: 1 + strategy: + type: Recreate + template: + metadata: + labels: + app: psql + spec: + nodeSelector: + kubernetes.io/hostname: master.tail2fe2d.ts.net + volumes: + - name: storage + hostPath: + path: /k8s/psql + type: DirectoryOrCreate + containers: + - name: psql + image: 'bitnami/postgresql:17' + env: + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: postgres-secret + key: PGADMIN_DEFAULT_PASSWORD + # command: + # - pg_resetwal + # - /bitnami/postgresql/data + + ports: + - name: http + containerPort: 5432 + protocol: TCP + volumeMounts: + - name: storage + mountPath: /bitnami/postgresql + - name: psql-exporter + image: 'quay.io/prometheuscommunity/postgres-exporter:latest' + env: + - name: DATA_SOURCE_URI + value: "localhost:5432/postgres?sslmode=disable" + - name: DATA_SOURCE_USER + value: "postgres" + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: postgres-secret + key: PGADMIN_DEFAULT_PASSWORD + ports: + - name: metrics + containerPort: 9187 + protocol: TCP + - name: user-creation + image: 'bitnami/postgresql:17' + command: + - /bin/bash + - -c + - | + until pg_isready -h 127.0.0.1 -p 5432 -U postgres; do + echo "Waiting for database to be ready..." + sleep 2 + done + + for var in $(printenv | grep "^USER_" | awk -F '=' '{print $1}'); do + USERNAME=${var#"USER_"} + PASSWORD=$(printenv "$var") + echo "Creating user $USERNAME" + psql -h 127.0.0.1 -p 5432 -U postgres -d postgres -c "CREATE USER $USERNAME WITH PASSWORD '$PASSWORD';" + echo "Creating database $USERNAME" + psql -h 127.0.0.1 -p 5432 -U postgres -d postgres -c "CREATE DATABASE $USERNAME WITH OWNER = $USERNAME ENCODING = 'UTF8';" + done + echo All done + tail -f /dev/null + envFrom: + - secretRef: + name: postgres-users + env: + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: postgres-secret + key: PGADMIN_DEFAULT_PASSWORD +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: psql-monitor + namespace: psql +spec: + endpoints: + - interval: 30s + #metricRelabelings: + + #- action: keep + # regex: lm-api + # sourceLabels: + # - service + #- action: replace + # replacement: "true" + # targetLabel: global + path: /metrics + port: metrics + scheme: http + namespaceSelector: + matchNames: + - psql + selector: + matchLabels: + app: psql +--- +apiVersion: v1 +kind: Service +metadata: + name: psql + namespace: psql +spec: + selector: + app: psql + ports: + - protocol: TCP + port: 5432 + targetPort: 5432 +--- +apiVersion: v1 +kind: Service +metadata: + name: psql-exporter + namespace: psql + labels: + app.kubernetes.io/name: psql-exporter +spec: + selector: + app: psql + ports: + - protocol: TCP + name: metrics + port: 9187 + targetPort: 9187 + diff --git a/k8s/core/postgresql/nas-db.yaml b/k8s/core/postgresql/nas-db.yaml new file mode 100644 index 0000000..46d39ff --- /dev/null +++ b/k8s/core/postgresql/nas-db.yaml @@ -0,0 +1,106 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: psql-nas + namespace: psql + labels: + app: psql-nas + app.kubernetes.io/name: psql-nas + reloader.stakater.com/auto: "true" +spec: + selector: + matchLabels: + app: psql-nas + replicas: 1 + strategy: + type: Recreate + template: + metadata: + labels: + app: psql-nas + spec: + nodeSelector: + kubernetes.io/hostname: nas.tail2fe2d.ts.net + volumes: + - name: storage + hostPath: + path: /mnt/storage/Storage/k8s/psql + type: DirectoryOrCreate + containers: + - name: psql + image: 'bitnami/postgresql:17' + env: + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: postgres-secret + key: PGADMIN_DEFAULT_PASSWORD + + ports: + - name: http + containerPort: 5432 + protocol: TCP + volumeMounts: + - name: storage + mountPath: /bitnami/postgresql + - name: psql-exporter + image: 'quay.io/prometheuscommunity/postgres-exporter:latest' + env: + - name: DATA_SOURCE_URI + value: "localhost:5432/postgres?sslmode=disable" + - name: DATA_SOURCE_USER + value: "postgres" + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: postgres-secret + key: PGADMIN_DEFAULT_PASSWORD + ports: + - name: metrics + containerPort: 9187 + protocol: TCP + - name: user-creation + image: 'bitnami/postgresql:17' + command: + - /bin/bash + - -c + - | + until pg_isready -h 127.0.0.1 -p 5432 -U postgres; do + echo "Waiting for database to be ready..." + sleep 2 + done + + for var in $(printenv | grep "^USER_" | awk -F '=' '{print $1}'); do + USERNAME=${var#"USER_"} + PASSWORD=$(printenv "$var") + echo "Creating user $USERNAME" + psql -h 127.0.0.1 -p 5432 -U postgres -d postgres -c "CREATE USER $USERNAME WITH PASSWORD '$PASSWORD';" + echo "Creating database $USERNAME" + psql -h 127.0.0.1 -p 5432 -U postgres -d postgres -c "CREATE DATABASE $USERNAME WITH OWNER = $USERNAME ENCODING = 'UTF8';" + done + echo All done + tail -f /dev/null + envFrom: + - secretRef: + name: postgres-users + env: + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: postgres-secret + key: PGADMIN_DEFAULT_PASSWORD +--- +apiVersion: v1 +kind: Service +metadata: + name: psql-nas + namespace: psql +spec: + selector: + app: psql-nas + ports: + - protocol: TCP + port: 5432 + targetPort: 5432 + diff --git a/k8s/core/postgresql/values.yaml b/k8s/core/postgresql/values.yaml new file mode 100644 index 0000000..a5ea721 --- /dev/null +++ b/k8s/core/postgresql/values.yaml @@ -0,0 +1,34 @@ +image: + tag: "9" + pullPolicy: Always +env: + email: "postgres@hexor.cy" +envVarsFromSecrets: [postgres-secret] +envVarsExtra: + - name: PGADMIN_CONFIG_AUTHENTICATION_SOURCES + value: "['oauth2']" + - name: PGADMIN_CONFIG_OAUTH2_NAME + value: '"Authentik"' + - name: PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER + value: "True" + - name: PGADMIN_CONFIG_OAUTH2_USERNAME_CLAIM + value: '"email"' +existingSecret: "postgres-secret" +secretKeys: + pgadminPasswordKey: PGADMIN_DEFAULT_PASSWORD +ingress: + enabled: true + ingressClassName: traefik + annotations: + cert-manager.io/cluster-issuer: letsencrypt + acme.cert-manager.io/http01-edit-in-place: "true" + traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd + hosts: + - host: pg.hexor.cy + paths: + - path: / + pathType: ImplementationSpecific + tls: + - secretName: pgadmin-tls + hosts: + - pg.hexor.cy diff --git a/k8s/state/core/k8s-dashboard.yaml b/k8s/state/core/k8s-dashboard.yaml new file mode 100644 index 0000000..ed073a0 --- /dev/null +++ b/k8s/state/core/k8s-dashboard.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kubernetes-dashboard + namespace: argocd +spec: + project: homelab + destination: + namespace: kubernetes-dashboard + server: https://kubernetes.default.svc + source: + repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git + targetRevision: HEAD + path: k8s/core/kubernetes-dashboard + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true + diff --git a/k8s/state/core/postgresql.yaml b/k8s/state/core/postgresql.yaml new file mode 100644 index 0000000..4e95a89 --- /dev/null +++ b/k8s/state/core/postgresql.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: postgresql + namespace: argocd +spec: + project: homelab + destination: + namespace: postgresql + server: https://kubernetes.default.svc + source: + repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git + targetRevision: HEAD + path: k8s/core/postgresql + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true +