From 4e46478c7ca279672fd4b26609af93620099540d Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Fri, 17 Sep 2021 14:56:05 -0700 Subject: [PATCH] Add backups to postgres-operator example (#52) --- examples/postgres-operator/README.md | 6 + .../manifests/minio-instance.yaml | 64 +++++ .../manifests/minio-operator.yaml | 23 ++ .../manifests/namespace.yaml | 4 - .../manifests/namespaces.yaml | 9 + .../{cluster.yaml => postgres-cluster.yaml} | 2 + ...ator-ui.yaml => postgres-operator-ui.yaml} | 13 + .../{operator.yaml => postgres-operator.yaml} | 32 ++- examples/postgres-operator/zarf.yaml | 9 + values.yaml | 247 ++++++++++++++++++ 10 files changed, 400 insertions(+), 9 deletions(-) create mode 100644 examples/postgres-operator/manifests/minio-instance.yaml create mode 100644 examples/postgres-operator/manifests/minio-operator.yaml delete mode 100644 examples/postgres-operator/manifests/namespace.yaml create mode 100644 examples/postgres-operator/manifests/namespaces.yaml rename examples/postgres-operator/manifests/{cluster.yaml => postgres-cluster.yaml} (86%) rename examples/postgres-operator/manifests/{operator-ui.yaml => postgres-operator-ui.yaml} (75%) rename examples/postgres-operator/manifests/{operator.yaml => postgres-operator.yaml} (61%) create mode 100644 values.yaml diff --git a/examples/postgres-operator/README.md b/examples/postgres-operator/README.md index f8a625c8b8..3458ffe72f 100644 --- a/examples/postgres-operator/README.md +++ b/examples/postgres-operator/README.md @@ -20,6 +20,11 @@ After looking at several alternatives, Zalando's postgres operator felt like the - Connection // Username: `zarf` - Connection // Password: (run the command in the table below) - SSL // SSL mode: `Require` +5. Create the backups bucket in MinIO (TODO: Figure out how to create the bucket automatically) + 1. Navigate to [https://minio-console.localhost:8443](https://minio-console.localhost:8443) + 2. Log in - Username: `minio` - Password: `minio123` + 3. Buckets -> Create Bucket + - Bucket Name: `postgres-operator-backups` ## Logins @@ -28,6 +33,7 @@ After looking at several alternatives, Zalando's postgres operator felt like the | Postgres Operator UI | [https://postgres-operator-ui.localhost:8443](https://postgres-operator-ui.localhost:8443) | N/A | N/A | | PGAdmin | [https://pgadmin.localhost:8443](https://pgadmin.localhost:8443) | `zarf@example.local` | Run: `zarf tools get-admin-password` | | Example Postgres Database | `acid-zarf-test.postgres-operator.svc.cluster.local` | `zarf` | Run: `echo $(kubectl get secret zarf.acid-zarf-test.credentials.postgresql.acid.zalan.do -n postgres-operator --template={{.data.password}} \| base64 -d)` | +| Minio Console | [https://minio-console.localhost:8443](https://minio-console.localhost:8443) | `minio` | `minio123` | ## References - https://blog.flant.com/comparing-kubernetes-operators-for-postgresql/ diff --git a/examples/postgres-operator/manifests/minio-instance.yaml b/examples/postgres-operator/manifests/minio-instance.yaml new file mode 100644 index 0000000000..d161b5cb86 --- /dev/null +++ b/examples/postgres-operator/manifests/minio-instance.yaml @@ -0,0 +1,64 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: minio-instance + namespace: minio-operator +spec: + chart: https://%{KUBERNETES_API}%/static/charts/minio-instance-4.2.3-bb.1.tgz + targetNamespace: minio-operator + # https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio/-/blob/4.2.3-bb.1/chart/values.yaml + valuesContent: |- + hostname: minio.localhost + tenants: + pools: + ## Servers specifies the number of MinIO Tenant Pods / Servers in this pool. + ## For standalone mode, supply 1. For distributed mode, supply 4 or more. + ## Note that the operator does not support upgrading from standalone to distributed mode. + - servers: 1 + ## volumesPerServer specifies the number of volumes attached per MinIO Tenant Pod / Server. + volumesPerServer: 4 + ## size specifies the capacity per volume + size: 1Gi + ## storageClass specifies the storage class name to be used for this pool + storageClassName: local-path + ## Used to specify a toleration for a pod + tolerations: {} + ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be + ## eligible to run on a node, the node must have each of the + ## indicated key-value pairs as labels. + ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + ## Affinity settings for MinIO pods. Read more about affinity + ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity. + affinity: {} + ## Configure resource requests and limits for MinIO containers + resources: + requests: + cpu: "250m" + memory: "1Gi" + limits: + cpu: "500m" + memory: "1Gi" + ## Configure security context + ## BB Note: Defaults for Ironbank image are 1001 for user, group, and fsGroup + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + console: + enabled: true +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: minio-console-ingressroute + namespace: minio-operator +spec: + entryPoints: + - websecure + routes: + - match: Host(`minio-console.localhost`) + kind: Rule + services: + - name: minio-instance-console + port: 9090 diff --git a/examples/postgres-operator/manifests/minio-operator.yaml b/examples/postgres-operator/manifests/minio-operator.yaml new file mode 100644 index 0000000000..e8e39d4f77 --- /dev/null +++ b/examples/postgres-operator/manifests/minio-operator.yaml @@ -0,0 +1,23 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: minio-operator + namespace: minio-operator +spec: + chart: https://%{KUBERNETES_API}%/static/charts/minio-operator-4.2.3-bb.1.tgz + targetNamespace: minio-operator + # https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator/-/blob/2.0.9-bb.3/chart/values.yaml + valuesContent: |- + operator: + image: + repository: registry1.dso.mil/ironbank/opensource/minio/operator + tag: v4.2.3 + resources: + requests: + cpu: 200m + memory: 256Mi + ephemeral-storage: 500Mi + limits: + cpu: 200m + memory: 256Mi + diff --git a/examples/postgres-operator/manifests/namespace.yaml b/examples/postgres-operator/manifests/namespace.yaml deleted file mode 100644 index bfebd8ac2f..0000000000 --- a/examples/postgres-operator/manifests/namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: postgres-operator diff --git a/examples/postgres-operator/manifests/namespaces.yaml b/examples/postgres-operator/manifests/namespaces.yaml new file mode 100644 index 0000000000..cfaefb1018 --- /dev/null +++ b/examples/postgres-operator/manifests/namespaces.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: postgres-operator +--- +apiVersion: v1 +kind: Namespace +metadata: + name: minio-operator diff --git a/examples/postgres-operator/manifests/cluster.yaml b/examples/postgres-operator/manifests/postgres-cluster.yaml similarity index 86% rename from examples/postgres-operator/manifests/cluster.yaml rename to examples/postgres-operator/manifests/postgres-cluster.yaml index d295dc86b1..fef361acf6 100644 --- a/examples/postgres-operator/manifests/cluster.yaml +++ b/examples/postgres-operator/manifests/postgres-cluster.yaml @@ -17,6 +17,8 @@ spec: zarf: [] databases: zarf: zarf + enableLogicalBackup: true + logicalBackupSchedule: "*/2 * * * *" resources: requests: cpu: 100m diff --git a/examples/postgres-operator/manifests/operator-ui.yaml b/examples/postgres-operator/manifests/postgres-operator-ui.yaml similarity index 75% rename from examples/postgres-operator/manifests/operator-ui.yaml rename to examples/postgres-operator/manifests/postgres-operator-ui.yaml index 5b68e58738..48406b42f5 100644 --- a/examples/postgres-operator/manifests/operator-ui.yaml +++ b/examples/postgres-operator/manifests/postgres-operator-ui.yaml @@ -28,6 +28,19 @@ spec: targetNamespace: "postgres-operator" teams: - "acid" + extraEnvs: + - name: WALE_S3_ENDPOINT + value: "http+path://minio.minio-operator.svc.cluster.local:80" + - name: AWS_ENDPOINT + value: "http://minio.minio-operator.svc.cluster.local" + - name: SPILO_S3_BACKUP_PREFIX + value: "spilo/" + - name: AWS_ACCESS_KEY_ID + value: "minio" + - name: AWS_SECRET_ACCESS_KEY + value: "minio123" + - name: SPILO_S3_BACKUP_BUCKET + value: "postgres-operator-backups" # We are defining our own Ingress manifest ingress: enabled: false diff --git a/examples/postgres-operator/manifests/operator.yaml b/examples/postgres-operator/manifests/postgres-operator.yaml similarity index 61% rename from examples/postgres-operator/manifests/operator.yaml rename to examples/postgres-operator/manifests/postgres-operator.yaml index 95e7775158..0926a34ea1 100644 --- a/examples/postgres-operator/manifests/operator.yaml +++ b/examples/postgres-operator/manifests/postgres-operator.yaml @@ -22,12 +22,18 @@ spec: default_memory_limit: "500Mi" min_cpu_limit: "250m" min_memory_limit: "250Mi" - # configLogicalBackup: + configAwsOrGcp: + wal_s3_bucket: "postgres-operator-backups" + configLogicalBackup: # logical_backup_docker_image: "registry1.dso.mil/.../logical-backup:v1.7.0" - # logical_backup_s3_endpoint: "" - # logical_backup_s3_access_key_id: "" - # logical_backup_s3_secret_access_key : "" - # logical_backup_schedule: "30 00 * * *" + logical_backup_s3_endpoint: "http://minio.minio-operator.svc.cluster.local" + logical_backup_s3_access_key_id: "minio" + logical_backup_s3_bucket: "postgres-operator-backups" + logical_backup_s3_secret_access_key : "minio123" + logical_backup_s3_sse: "" + logical_backup_schedule: "*/2 * * * *" + configKubernetes: + pod_environment_configmap: "postgres-operator/postgres-pod-config" configConnectionPooler: # connection_pooler_image: "registry1.dso.mil/.../pgbouncer:master-18" connection_pooler_default_cpu_request: "100m" @@ -46,3 +52,19 @@ spec: runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: postgres-pod-config + namespace: postgres-operator +data: + AWS_ENDPOINT: http://minio.minio-operator.svc.cluster.local + AWS_ACCESS_KEY_ID: minio + AWS_SECRET_ACCESS_KEY: minio123 + BACKUP_NUM_TO_RETAIN: "3" + BACKUP_SCHEDULE: "*/2 * * * *" + USE_WALG_BACKUP: "true" + WALG_DISABLE_S3_SSE: "true" + USE_WALG_RESTORE: "false" + AWS_S3_FORCE_PATH_STYLE: "true" diff --git a/examples/postgres-operator/zarf.yaml b/examples/postgres-operator/zarf.yaml index 4fbf68fc28..f8b726bab8 100644 --- a/examples/postgres-operator/zarf.yaml +++ b/examples/postgres-operator/zarf.yaml @@ -2,6 +2,7 @@ kind: ZarfPackageConfig metadata: name: postgres-operator-demo description: "Demo of prod-like Postgres database(s) on an edge cluster" +# uncompressed: true local: manifests: manifests @@ -16,6 +17,12 @@ local: - name: pgadmin4 url: https://helm.runix.net version: 1.7.2 + - name: minio-operator + url: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator.git + version: 4.2.3-bb.1 + - name: minio-instance + url: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio.git + version: 4.2.3-bb.1 images: - registry.opensource.zalan.do/acid/postgres-operator:v1.7.0 @@ -24,3 +31,5 @@ local: - registry.opensource.zalan.do/acid/pgbouncer:master-18 - registry.opensource.zalan.do/acid/postgres-operator-ui:v1.7.0 - docker.io/dpage/pgadmin4:5.5 + - registry1.dso.mil/ironbank/opensource/minio/operator:v4.2.3 + - registry1.dso.mil/ironbank/opensource/minio/minio:RELEASE.2021-08-31T05-46-54Z diff --git a/values.yaml b/values.yaml new file mode 100644 index 0000000000..ff844642b6 --- /dev/null +++ b/values.yaml @@ -0,0 +1,247 @@ +## Default values for minio instance creation. +## Note: to enable upgrade of minio instance, then values file has a number of values that will be +## deprecated in the future. Deprecation candidates will have an annotation in comments regarding the timeframe for deprecation. + +hostname: bigbang.dev + +# When true, upgradeTenants enables use of the V4.* Minio Operator CRD for creation of tenants is enabled. +# The default will be made TRUE in a future release. +upgradeTenants: + enabled: true + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# because the operator handles the service deployment in 4.x and beyond. +service: + # Internal service name for minio instance. This is the full name of the service used to connect to Minio from within the cluster. + # If not specified, the service name will be the default full name of the minio instance. + nameOverride: "" + type: ClusterIP + port: 9090 + +# Removed ina future release +podAnnotations: {} + +istio: + enabled: false + virtualService: + enabled: true + annotations: {} + labels: {} + gateways: + - istio-system/main + hosts: + - minio.{{ .Values.hostname }} + service: "" + port: "" + +monitoring: + enabled: false + namespace: monitoring + +networkPolicies: + enabled: false + controlPlaneCidr: 0.0.0.0/0 + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway + +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# once all upgrades are complete. +image: + name: registry1.dso.mil/ironbank/opensource/minio/minio + tag: RELEASE.2021-08-31T05-46-54Z + pullPolicy: "IfNotPresent" + +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# once all upgrades are complete. +zones: + # refer to documentation for number of servers versus volumes per server + # https://docs.min.io/docs/minio-server-limits-per-tenant.html + servers: 3 # scale to 3 for dev + +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# once all upgrades are complete. +volumesPerServer: 2 # 2 is minimum volumes with 3 servers + +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# once all upgrades are complete. +volumeClaimTemplate: + accessModes: ReadWriteOnce + storage: 1Gi # scale down for dev + +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# once all upgrades are complete. +minioRootCreds: default-minio-creds-secret + +## MinIO Tenant Definition +tenants: + # Tenant name + name: minio + ## Registry location and Tag to download MinIO Server image + # Configure repo and tag of MinIO Operator Image + image: + repository: registry1.dso.mil/ironbank/opensource/minio/minio + tag: RELEASE.2021-08-31T05-46-54Z + pullPolicy: "IfNotPresent" + ## Customize namespace for tenant deployment + #namespace: default + imagePullSecret: + name: private-registry + ## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler. + ## If not specified, the Tenant pods will be dispatched by default scheduler. + ##scheduler: + ## name: + scheduler: {} + + ## Used to specify a toleration for a pod + #tolerations: {} + + ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be + ## eligible to run on a node, the node must have each of the + ## indicated key-value pairs as labels. + ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + #nodeSelector: {} + + ## Affinity settings for MinIO pods. Read more about affinity + ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity. + #affinity: {} + + ## Configure security context + ## BB Note: Defaults for Ironbank image are 1001 for user, group, and fsGroup + #securityContext: + # runAsUser: 1001 + # runAsGroup: 1001 + # fsGroup: 1001 + + ## Specification for MinIO Pool(s) in this Tenant. + pools: + ## Servers specifies the number of MinIO Tenant Pods / Servers in this pool. + ## For standalone mode, supply 1. For distributed mode, supply 4 or more. + ## Note that the operator does not support upgrading from standalone to distributed mode. + - servers: 4 + ## volumesPerServer specifies the number of volumes attached per MinIO Tenant Pod / Server. + volumesPerServer: 4 + ## size specifies the capacity per volume + size: 1Gi + ## storageClass specifies the storage class name to be used for this pool + storageClassName: local-path + ## Used to specify a toleration for a pod + tolerations: {} + ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be + ## eligible to run on a node, the node must have each of the + ## indicated key-value pairs as labels. + ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + ## Affinity settings for MinIO pods. Read more about affinity + ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity. + affinity: {} + ## Configure resource requests and limits for MinIO containers + resources: + requests: + cpu: 250m + memory: 2Gi + limits: + cpu: 250m + memory: 2Gi + + ## Configure security context + ## BB Note: Defaults for Ironbank image are 1001 for user, group, and fsGroup + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + ## Mount path where PV will be mounted inside container(s). + mountPath: /export + + ## Sub path inside Mount path where MinIO stores data. + subPath: /data + + # pool secrets + secrets: + enabled: true + name: minio-creds-secret + accessKey: minio + secretKey: minio123 + + # pool metrics to be read by Prometheus + metrics: + enabled: false + port: 9000 + + certificate: + ## Use this field to provide one or more external CA certificates. This is used by MinIO + ## to verify TLS connections with other applications: + ## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret + externalCaCertSecret: {} + ## Use this field to provide a list of Secrets with external certificates. This can be used to to configure + ## TLS for MinIO Tenant pods. Create secrets as explained here: + ## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret + externalCertSecret: {} + ## Enable automatic Kubernetes based certificate generation and signing as explained in + ## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster + ## false = disabled TLS endpoints at the tenants + requestAutoCert: false + ## This field is used only when "requestAutoCert" is set to true. Use this field to set CommonName + ## for the auto-generated certificate. Internal DNS name for the pod will be used if CommonName is + ## not provided. DNS name format is *.minio.default.svc.cluster.local + ##certConfig: + ## commonName: "" + ## organizationName: [] + ## dnsNames: [] + certConfig: {} + ## Enable S3 specific features such as Bucket DNS which would allow `buckets` to be + ## accessible as DNS entries of form `.minio.default.svc.cluster.local` + s3: + ## This feature is turned off by default + bucketDNS: false + ## PodManagement policy for MinIO Tenant Pods. Can be "OrderedReady" or "Parallel" + ## Refer https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy + ## for details. + podManagementPolicy: Parallel + ## serviceMetadata allows passing additional labels and annotations to MinIO and Console specific + ## services created by the operator. + ##serviceMetadata: {} + serviceMetadata: + minioServiceLabels: + label: minio-svc + minioServiceAnnotations: + v2.min.io: minio-svc + # consoleServiceLabels: + # label: console-svc + # consoleServiceAnnotations: + # v2.min.io: console-svc + + ## Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config) + env: {} + ## PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods. + ## This is applied to MinIO pods only. + ## Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/ + # e.g., priorityClassName: high-priority + priorityClassName : "" + ## Define configuration for Console (Graphical user interface for MinIO) + ## Refer https://github.com/minio/console + console: + enabled: false + image: + repository: minio/console + tag: v0.7.4 + pullPolicy: IfNotPresent + replicaCount: 1 + secrets: + enabled: true + name: console-secret + passphrase: SECRET + salt: SECRET + accessKey: YOURCONSOLEACCESS + secretKey: YOURCONSOLESECRET + +openshift: false