airship
/
treasuremap
Code Issues Proposed changes
treasuremap/global/software/charts/ucp/core/postgresql.yaml

250 lines
7.1 KiB
YAML
Raw Blame History

---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: ucp-postgresql
labels:
name: ucp-postgresql-global
layeringDefinition:
abstract: false
layer: global
storagePolicy: cleartext
substitutions:
# Chart source
- src:
schema: pegleg/SoftwareVersions/v1
name: software-versions
path: .charts.ucp.postgresql
dest:
path: .source
# Images
- src:
schema: pegleg/SoftwareVersions/v1
name: software-versions
path: .images.ucp.postgresql
dest:
path: .values.images.tags
# Endpoints
- src:
schema: pegleg/EndpointCatalogue/v1
name: ucp_endpoints
path: .ucp.postgresql
dest:
path: .values.endpoints.postgresql
- src:
schema: pegleg/EndpointCatalogue/v1
name: ucp_endpoints
path: .ucp.prometheus_postgresql_exporter
dest:
path: .values.endpoints.prometheus_postgresql_exporter
- src:
schema: pegleg/EndpointCatalogue/v1
name: ucp_endpoints
path: .ucp.postgresql.hosts.default
dest:
path: .values.secrets.pki.server.hosts.names[0]
# Credentials
- src:
schema: pegleg/AccountCatalogue/v1
name: ucp_service_accounts
path: .ucp.postgres.admin
dest:
path: .values.endpoints.postgresql.auth.admin
- src:
schema: pegleg/AccountCatalogue/v1
name: ucp_service_accounts
path: .ucp.prometheus_postgresql_exporter.user
dest:
path: .values.endpoints.postgresql.auth.exporter
- src:
schema: pegleg/AccountCatalogue/v1
name: ucp_service_accounts
path: .ucp.prometheus_postgresql_exporter.user
dest:
path: .values.endpoints.prometheus_postgresql_exporter.auth.user
- src:
schema: pegleg/AccountCatalogue/v1
name: ucp_service_accounts
path: .ucp.postgres.audit
dest:
path: .values.endpoints.postgresql.auth.audit
# Secrets
- dest:
path: .values.endpoints.postgresql.auth.admin.password
src:
schema: deckhand/Passphrase/v1
name: ucp_postgres_admin_password
path: .
- dest:
path: .values.endpoints.postgresql.auth.exporter.password
src:
schema: deckhand/Passphrase/v1
name: ucp_postgres_exporter_postgres_password
path: .
- dest:
path: .values.endpoints.prometheus_postgresql_exporter.auth.user.password
src:
schema: deckhand/Passphrase/v1
name: ucp_postgres_exporter_postgres_password
path: .
- dest:
path: .values.endpoints.postgresql.auth.audit.password
src:
schema: deckhand/Passphrase/v1
name: ucp_postgres_audit_password
path: .
# POD IPs
- src:
schema: pegleg/CommonAddresses/v1
name: common-addresses
path: .kubernetes.pod_cidr
dest:
path: .values.secrets.pki.pod_cidr
# Forming the container name for database backups to go into
- src:
schema: pegleg/CommonAddresses/v1
name: common-addresses
path: .dns.ingress_domain
dest:
- path: .values.conf.backup.remote_backup.container_name
pattern: DOMAIN
data:
chart_name: ucp-postgresql
release: ucp-postgresql
namespace: ucp
protected:
continue_processing: false
wait:
timeout: 1800
labels:
release_group: clcp-ucp-postgresql
install:
no_hooks: false
upgrade:
no_hooks: false
options:
force: true
pre:
delete:
- type: job
labels:
release_group: clcp-ucp-postgresql
- type: cronjob
labels:
release_group: clcp-ucp-postgresql
create: []
post:
create: []
values:
pod:
mandatory_access_control:
type: apparmor
postgresql:
postgresql: runtime/default
set-volume-perms: runtime/default
init: runtime/default
postgresql-backup:
postgresql-backup: runtime/default
backup-perms: runtime/default
init: runtime/default
prometheus-postgresql-exporter:
postgresql-exporter: runtime/default
init: runtime/default
prometheus-postgresql-exporter-create-user:
prometheus-postgresql-exporter-create-user: runtime/default
init: runtime/default
affinity:
anti:
type:
default: requiredDuringSchedulingIgnoredDuringExecution
replicas:
server: 1
monitoring:
prometheus:
enabled: true
volume:
backup:
size: 50Gi
conf:
postgresql:
max_connections: 1000
shared_buffers: 2GB
log_connections: 'off'
log_disconnections: 'off'
# disable archiving
archive_mode: 'off'
# disable wal senders (required with wal_level minimal)
max_wal_senders: 0
# to avoid filling up pgdata/pg_xlog, limit to 32 wal files (16 MB each), i.e. 512MB
max_wal_size: 32
# to avoid filling up pgdata/pg_commit_ts, don't track commit timestamps
track_commit_timestamp: 'off'
# don't explicitly force a minimum # of wal files to keep
wal_keep_segments: 0
# retain enough data to recover from a crash or immediate shutdown
wal_level: minimal
# don't force writes for hint bit modifications
wal_log_hints: 'off'
pg_hba: |
host all all 127.0.0.1/32 trust
host all postgresql-admin 0.0.0.0/0 md5
host all postgres 0.0.0.0/0 md5
host all psql_exporter 0.0.0.0/0 md5
host postgres postgresql_exporter 0.0.0.0/0 md5
host deckhand deckhand 0.0.0.0/0 md5
host maasdb maas 0.0.0.0/0 md5
host airflow airflow 0.0.0.0/0 md5
host shipyard shipyard 0.0.0.0/0 md5
host drydock drydock 0.0.0.0/0 md5
local all all trust
host all all 0.0.0.0/0 reject
backup:
pg_dumpall_options: '--inserts --clean'
enabled: true
days_to_keep: 3
remote_backup:
enabled: true
container_name: DOMAIN
days_to_keep: 14
storage_policy: ncbackup_pt
development:
enabled: false
labels:
server:
node_selector_key: ucp-control-plane
node_selector_value: enabled
test:
node_selector_key: ucp-control-plane
node_selector_value: enabled
prometheus_postgresql_exporter:
node_selector_key: ucp-control-plane
node_selector_value: enabled
job:
node_selector_key: ucp-control-plane
node_selector_value: enabled
manifests:
# Enable automated backups
cron_job_postgresql_backup: true
# Not needing to create a keystone user - it should already be created on CH
job_ks_user: false
# Still backing up to local PVC in addition to CH backups
pvc_backup: true
# Enable backup/restore secrets
secret_backup_restore: true
secrets:
pki:
server:
life: 365
replication:
life: 365
dependencies:
- postgres-htk
...
View Git Blame Copy Permalink