gitea_admin/k8s-and-chill
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes

Browse source 
- Add hcloud-csi prototype (Hetzner Cloud CSI driver)
- Add cloudnative-pg prototype (CNPG operator)
- Add CNPG Cluster CR for Forgejo (2 instances, lean config for 4GB nodes)
- Add 20Gi hcloud-volumes PVC for Forgejo git repos
- Switch Forgejo from SQLite to PostgreSQL (forgejo-cnpg-rw service)
- Switch Forgejo persistence to hcloud-volumes (forgejo-git-storage)
- Fix ClusterRoleBinding subject namespaces for hcloud-csi and CNPG
- Fix CNPG webhook service namespace references

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Felix Wolf 2026-04-03 16:37:13 +02:00
parent f096bba68b
commit 25714eeef6
57 changed files with 17938 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
CLAUDE.md
View file

@ -62,10 +62,8 @@ kubectl apply -f rendered/envs/production/<app>/ --server-side # Deploy
``` ```
## Kubeconfig & Talos ## Kubeconfig & Talos
```bash - `KUBECONFIG` and `TALOSCONFIG` are already set in the user's shell environment. Do not set them in commands.
export KUBECONFIG=./talos/kubeconfig
export TALOSCONFIG=./talos/talosconfig
```
## Known Issues / TODOs ## Known Issues / TODOs
- **Forgejo admin password**: Hardcoded in rendered secrets (`r8sA8CPHD9!bt6d`). Move to external secret before pushing to git. - **Forgejo admin password**: Hardcoded in rendered secrets (`r8sA8CPHD9!bt6d`). Move to external secret before pushing to git.

5
envs/production/_apps/cloudnative-pg/app-data.ytt.yaml Normal file
View file

@ -0,0 +1,5 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
namespace: cnpg-system

11
envs/production/_apps/forgejo/argocd/replace-jobs.overlay.ytt.yaml Normal file
View file

@ -0,0 +1,11 @@
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.all, expects="1+"
---
#@overlay/match-child-defaults missing_ok=True
spec:
syncPolicy:
#@overlay/match missing_ok=True
syncOptions:
#@overlay/append
- Replace=true

5
envs/production/_apps/hcloud-csi/app-data.ytt.yaml Normal file
View file

@ -0,0 +1,5 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
namespace: kube-system

2
envs/production/env-data.ytt.yaml
View file

@ -11,3 +11,5 @@ environment:
- proto: grafana - proto: grafana
- proto: kube-state-metrics - proto: kube-state-metrics
- proto: node-exporter - proto: node-exporter
- proto: hcloud-csi
- proto: cloudnative-pg

5
prototypes/cloudnative-pg/app-data.ytt.yaml Normal file
View file

@ -0,0 +1,5 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
namespace: cnpg-system

3
prototypes/cloudnative-pg/helm/cloudnative-pg.yaml Normal file
View file

@ -0,0 +1,3 @@
---
crds:
create: true

16
prototypes/cloudnative-pg/vendir/base.ytt.yaml Normal file
View file

@ -0,0 +1,16 @@
#@ load("@ytt:data", "data")
#@ app = data.values.application
---
apiVersion: vendir.k14s.io/v1alpha1
kind: Config
directories:
- path: #@ "charts/" + app.name
contents:
- path: .
helmChart:
name: #@ app.name
version: #@ app.version
repository:
url: #@ app.url
lazy: true

8
prototypes/cloudnative-pg/vendir/vendir-data.ytt.yaml Normal file
View file

@ -0,0 +1,8 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
#! renovate: datasource=helm
name: cloudnative-pg
url: https://cloudnative-pg.github.io/charts
version: 0.23.0

10
prototypes/cloudnative-pg/ytt/fix-clusterrolebinding.ytt.yaml Normal file
View file

@ -0,0 +1,10 @@
#@ load("@ytt:data", "data")
#@ load("@ytt:overlay", "overlay")
#@ ns = data.values.application.namespace
#@overlay/match by=overlay.subset({"kind": "ClusterRoleBinding"})
---
subjects:
#@overlay/match by=overlay.all
- namespace: #@ ns

20
prototypes/cloudnative-pg/ytt/fix-webhook-ns.ytt.yaml Normal file
View file

@ -0,0 +1,20 @@
#@ load("@ytt:data", "data")
#@ load("@ytt:overlay", "overlay")
#@ ns = data.values.application.namespace
#@overlay/match by=overlay.subset({"kind": "MutatingWebhookConfiguration"}), expects="0+"
---
webhooks:
#@overlay/match by=overlay.all, expects="1+"
- clientConfig:
service:
namespace: #@ ns
#@overlay/match by=overlay.subset({"kind": "ValidatingWebhookConfiguration"}), expects="0+"
---
webhooks:
#@overlay/match by=overlay.all, expects="1+"
- clientConfig:
service:
namespace: #@ ns

18
prototypes/cloudnative-pg/ytt/ns.ytt.yaml Normal file
View file

@ -0,0 +1,18 @@
#@ load("@ytt:data", "data")
#@ load("@ytt:overlay", "overlay")
#@ ns = data.values.application.namespace
---
apiVersion: v1
kind: Namespace
metadata:
name: #@ ns
labels:
pod-security.kubernetes.io/enforce: privileged
#@overlay/match by=overlay.all, expects="1+"
---
metadata:
#@overlay/match missing_ok=True
namespace: #@ ns

20
prototypes/forgejo/helm/forgejo.yaml
View file

@ -1,6 +1,4 @@
--- ---
replicaCount: 0
strategy: strategy:
type: Recreate type: Recreate
@ -12,7 +10,9 @@ postgresql-ha:
persistence: persistence:
enabled: true enabled: true
size: 10Gi create: false
mount: true
claimName: forgejo-git-storage
ingress: ingress:
enabled: true enabled: true
@ -36,9 +36,21 @@ gitea:
admin: admin:
existingSecret: forgejo-admin-secret existingSecret: forgejo-admin-secret
additionalConfigFromEnvs:
- name: FORGEJO__DATABASE__PASSWD
valueFrom:
secretKeyRef:
name: forgejo-cnpg-app
key: password
config: config:
database: database:
DB_TYPE: sqlite3 DB_TYPE: postgres
HOST: forgejo-cnpg-rw.forgejo.svc:5432
NAME: forgejo
USER: forgejo
SCHEMA: public
SSL_MODE: disable
session: session:
PROVIDER: memory PROVIDER: memory
cache: cache:

36
prototypes/forgejo/ytt/cnpg-cluster.ytt.yaml Normal file
View file

@ -0,0 +1,36 @@
#@ load("@ytt:data", "data")
#@ ns = data.values.application.namespace
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: forgejo-cnpg
namespace: #@ ns
spec:
instances: 2
bootstrap:
initdb:
database: forgejo
owner: forgejo
storage:
size: 5Gi
storageClass: hcloud-volumes
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 512Mi
postgresql:
parameters:
shared_buffers: "64MB"
effective_cache_size: "128MB"
work_mem: "4MB"
maintenance_work_mem: "32MB"
max_connections: "50"

19
prototypes/forgejo/ytt/git-pvc.ytt.yaml Normal file
View file

@ -0,0 +1,19 @@
#@ load("@ytt:data", "data")
#@ ns = data.values.application.namespace
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: forgejo-git-storage
namespace: #@ ns
annotations:
helm.sh/resource-policy: keep
spec:
accessModes:
- ReadWriteOnce
storageClassName: hcloud-volumes
resources:
requests:
storage: 20Gi

5
prototypes/hcloud-csi/app-data.ytt.yaml Normal file
View file

@ -0,0 +1,5 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
namespace: kube-system

3
prototypes/hcloud-csi/helm/hcloud-csi.yaml Normal file
View file

@ -0,0 +1,3 @@
---
controller:
replicaCount: 1

16
prototypes/hcloud-csi/vendir/base.ytt.yaml Normal file
View file

@ -0,0 +1,16 @@
#@ load("@ytt:data", "data")
#@ app = data.values.application
---
apiVersion: vendir.k14s.io/v1alpha1
kind: Config
directories:
- path: #@ "charts/" + app.name
contents:
- path: .
helmChart:
name: #@ app.name
version: #@ app.version
repository:
url: #@ app.url
lazy: true

8
prototypes/hcloud-csi/vendir/vendir-data.ytt.yaml Normal file
View file

@ -0,0 +1,8 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
#! renovate: datasource=helm
name: hcloud-csi
url: https://charts.hetzner.cloud
version: 2.12.0

10
prototypes/hcloud-csi/ytt/fix-clusterrolebinding.ytt.yaml Normal file
View file

@ -0,0 +1,10 @@
#@ load("@ytt:data", "data")
#@ load("@ytt:overlay", "overlay")
#@ ns = data.values.application.namespace
#@overlay/match by=overlay.subset({"kind": "ClusterRoleBinding"}), expects="1+"
---
subjects:
#@overlay/match by=overlay.all, expects="1+"
- namespace: #@ ns

18
prototypes/hcloud-csi/ytt/ns.ytt.yaml Normal file
View file

@ -0,0 +1,18 @@
#@ load("@ytt:data", "data")
#@ load("@ytt:overlay", "overlay")
#@ ns = data.values.application.namespace
---
apiVersion: v1
kind: Namespace
metadata:
name: #@ ns
labels:
pod-security.kubernetes.io/enforce: privileged
#@overlay/match by=overlay.all, expects="1+"
---
metadata:
#@overlay/match missing_ok=True
namespace: #@ ns

25
rendered/argocd/production/app-cloudnative-pg.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
annotations:
myks.dev/environment: production
finalizers:
- resources-finalizer.argocd.argoproj.io
name: app-production-cloudnative-pg
namespace: argocd
spec:
destination:
namespace: cloudnative-pg
server: https://kubernetes.default.svc
project: env-production
source:
path: rendered/envs/production/cloudnative-pg
repoURL: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
targetRevision: main
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true

1
rendered/argocd/production/app-forgejo.yaml
View file

@ -23,3 +23,4 @@ spec:
syncOptions: syncOptions:
- CreateNamespace=true - CreateNamespace=true
- ServerSideApply=true - ServerSideApply=true
- Replace=true

25
rendered/argocd/production/app-hcloud-csi.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
annotations:
myks.dev/environment: production
finalizers:
- resources-finalizer.argocd.argoproj.io
name: app-production-hcloud-csi
namespace: argocd
spec:
destination:
namespace: hcloud-csi
server: https://kubernetes.default.svc
project: env-production
source:
path: rendered/envs/production/hcloud-csi
repoURL: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
targetRevision: main
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true

30
rendered/envs/production/cloudnative-pg/clusterrole-cloudnative-pg-edit.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/instance: cloudnative-pg
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cloudnative-pg
app.kubernetes.io/version: 1.25.0
helm.sh/chart: cloudnative-pg-0.23.0
name: cloudnative-pg-edit
namespace: cnpg-system
rules:
- apiGroups:
- postgresql.cnpg.io
resources:
- backups
- clusters
- databases
- poolers
- publications
- scheduledbackups
- subscriptions
verbs:
- create
- delete
- deletecollection
- patch
- update

28
rendered/envs/production/cloudnative-pg/clusterrole-cloudnative-pg-view.yaml Normal file
View file

@ -0,0 +1,28 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/instance: cloudnative-pg
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cloudnative-pg
app.kubernetes.io/version: 1.25.0
helm.sh/chart: cloudnative-pg-0.23.0
name: cloudnative-pg-view
namespace: cnpg-system
rules:
- apiGroups:
- postgresql.cnpg.io
resources:
- backups
- clusters
- databases
- poolers
- publications
- scheduledbackups
- subscriptions
verbs:
- get
- list
- watch

229
rendered/envs/production/cloudnative-pg/clusterrole-cloudnative-pg.yaml Normal file
View file

@ -0,0 +1,229 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/instance: cloudnative-pg
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cloudnative-pg
app.kubernetes.io/version: 1.25.0
helm.sh/chart: cloudnative-pg-0.23.0
name: cloudnative-pg
namespace: cnpg-system
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- patch
- apiGroups:
- postgresql.cnpg.io
resources:
- clusterimagecatalogs
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- secrets
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- configmaps/status
- secrets/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
- pods
- pods/exec
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- pods/status
verbs:
- get
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
- apiGroups:
- monitoring.coreos.com
resources:
- podmonitors
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- postgresql.cnpg.io
resources:
- backups
- clusters
- databases
- poolers
- publications
- scheduledbackups
- subscriptions
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- postgresql.cnpg.io
resources:
- backups/status
- databases/status
- publications/status
- scheduledbackups/status
- subscriptions/status
verbs:
- get
- patch
- update
- apiGroups:
- postgresql.cnpg.io
resources:
- imagecatalogs
verbs:
- get
- list
- watch
- apiGroups:
- postgresql.cnpg.io
resources:
- clusters/finalizers
- poolers/finalizers
verbs:
- update
- apiGroups:
- postgresql.cnpg.io
resources:
- clusters/status
- poolers/status
verbs:
- get
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- create
- get
- list
- patch
- watch

21
rendered/envs/production/cloudnative-pg/clusterrolebinding-cloudnative-pg.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/instance: cloudnative-pg
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cloudnative-pg
app.kubernetes.io/version: 1.25.0
helm.sh/chart: cloudnative-pg-0.23.0
name: cloudnative-pg
namespace: cnpg-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cloudnative-pg
subjects:
- kind: ServiceAccount
name: cloudnative-pg
namespace: cnpg-system

14
rendered/envs/production/cloudnative-pg/configmap-cnpg-controller-manager-config.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: v1
data: {}
kind: ConfigMap
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/instance: cloudnative-pg
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cloudnative-pg
app.kubernetes.io/version: 1.25.0
helm.sh/chart: cloudnative-pg-0.23.0
name: cnpg-controller-manager-config
namespace: cnpg-system

463
rendered/envs/production/cloudnative-pg/configmap-cnpg-default-monitoring.yaml Normal file
View file

@ -0,0 +1,463 @@
apiVersion: v1
data:
queries: |
backends:
query: |
SELECT sa.datname
, sa.usename
, sa.application_name
, states.state
, COALESCE(sa.count, 0) AS total
, COALESCE(sa.max_tx_secs, 0) AS max_tx_duration_seconds
FROM ( VALUES ('active')
, ('idle')
, ('idle in transaction')
, ('idle in transaction (aborted)')
, ('fastpath function call')
, ('disabled')
) AS states(state)
LEFT JOIN (
SELECT datname
, state
, usename
, COALESCE(application_name, '') AS application_name
, COUNT(*)
, COALESCE(EXTRACT (EPOCH FROM (max(now() - xact_start))), 0) AS max_tx_secs
FROM pg_catalog.pg_stat_activity
GROUP BY datname, state, usename, application_name
) sa ON states.state = sa.state
WHERE sa.usename IS NOT NULL
metrics:
- datname:
usage: "LABEL"
description: "Name of the database"
- usename:
usage: "LABEL"
description: "Name of the user"
- application_name:
usage: "LABEL"
description: "Name of the application"
- state:
usage: "LABEL"
description: "State of the backend"
- total:
usage: "GAUGE"
description: "Number of backends"
- max_tx_duration_seconds:
usage: "GAUGE"
description: "Maximum duration of a transaction in seconds"
backends_waiting:
query: |
SELECT count(*) AS total
FROM pg_catalog.pg_locks blocked_locks
JOIN pg_catalog.pg_locks blocking_locks
ON blocking_locks.locktype = blocked_locks.locktype
AND blocking_locks.database IS NOT DISTINCT FROM blocked_locks.database
AND blocking_locks.relation IS NOT DISTINCT FROM blocked_locks.relation
AND blocking_locks.page IS NOT DISTINCT FROM blocked_locks.page
AND blocking_locks.tuple IS NOT DISTINCT FROM blocked_locks.tuple
AND blocking_locks.virtualxid IS NOT DISTINCT FROM blocked_locks.virtualxid
AND blocking_locks.transactionid IS NOT DISTINCT FROM blocked_locks.transactionid
AND blocking_locks.classid IS NOT DISTINCT FROM blocked_locks.classid
AND blocking_locks.objid IS NOT DISTINCT FROM blocked_locks.objid
AND blocking_locks.objsubid IS NOT DISTINCT FROM blocked_locks.objsubid
AND blocking_locks.pid != blocked_locks.pid
JOIN pg_catalog.pg_stat_activity blocking_activity ON blocking_activity.pid = blocking_locks.pid
WHERE NOT blocked_locks.granted
metrics:
- total:
usage: "GAUGE"
description: "Total number of backends that are currently waiting on other queries"
pg_database:
query: |
SELECT datname
, pg_catalog.pg_database_size(datname) AS size_bytes
, pg_catalog.age(datfrozenxid) AS xid_age
, pg_catalog.mxid_age(datminmxid) AS mxid_age
FROM pg_catalog.pg_database
WHERE datallowconn
metrics:
- datname:
usage: "LABEL"
description: "Name of the database"
- size_bytes:
usage: "GAUGE"
description: "Disk space used by the database"
- xid_age:
usage: "GAUGE"
description: "Number of transactions from the frozen XID to the current one"
- mxid_age:
usage: "GAUGE"
description: "Number of multiple transactions (Multixact) from the frozen XID to the current one"
pg_postmaster:
query: |
SELECT EXTRACT(EPOCH FROM pg_postmaster_start_time) AS start_time
FROM pg_catalog.pg_postmaster_start_time()
metrics:
- start_time:
usage: "GAUGE"
description: "Time at which postgres started (based on epoch)"
pg_replication:
query: "SELECT CASE WHEN (
NOT pg_catalog.pg_is_in_recovery()
OR pg_catalog.pg_last_wal_receive_lsn() = pg_catalog.pg_last_wal_replay_lsn())
THEN 0
ELSE GREATEST (0,
EXTRACT(EPOCH FROM (now() - pg_catalog.pg_last_xact_replay_timestamp())))
END AS lag,
pg_catalog.pg_is_in_recovery() AS in_recovery,
EXISTS (TABLE pg_stat_wal_receiver) AS is_wal_receiver_up,
(SELECT count(*) FROM pg_catalog.pg_stat_replication) AS streaming_replicas"
metrics:
- lag:
usage: "GAUGE"
description: "Replication lag behind primary in seconds"
- in_recovery:
usage: "GAUGE"
description: "Whether the instance is in recovery"
- is_wal_receiver_up:
usage: "GAUGE"
description: "Whether the instance wal_receiver is up"
- streaming_replicas:
usage: "GAUGE"
description: "Number of streaming replicas connected to the instance"
pg_replication_slots:
query: |
SELECT slot_name,
slot_type,
database,
active,
(CASE pg_catalog.pg_is_in_recovery()
WHEN TRUE THEN pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_last_wal_receive_lsn(), restart_lsn)
ELSE pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), restart_lsn)
END) as pg_wal_lsn_diff
FROM pg_catalog.pg_replication_slots
WHERE NOT temporary
metrics:
- slot_name:
usage: "LABEL"
description: "Name of the replication slot"
- slot_type:
usage: "LABEL"
description: "Type of the replication slot"
- database:
usage: "LABEL"
description: "Name of the database"
- active:
usage: "GAUGE"
description: "Flag indicating whether the slot is active"
- pg_wal_lsn_diff:
usage: "GAUGE"
description: "Replication lag in bytes"
pg_stat_archiver:
query: |
SELECT archived_count
, failed_count
, COALESCE(EXTRACT(EPOCH FROM (now() - last_archived_time)), -1) AS seconds_since_last_archival
, COALESCE(EXTRACT(EPOCH FROM (now() - last_failed_time)), -1) AS seconds_since_last_failure
, COALESCE(EXTRACT(EPOCH FROM last_archived_time), -1) AS last_archived_time
, COALESCE(EXTRACT(EPOCH FROM last_failed_time), -1) AS last_failed_time
, COALESCE(CAST(CAST('x'||pg_catalog.right(pg_catalog.split_part(last_archived_wal, '.', 1), 16) AS pg_catalog.bit(64)) AS pg_catalog.int8), -1) AS last_archived_wal_start_lsn
, COALESCE(CAST(CAST('x'||pg_catalog.right(pg_catalog.split_part(last_failed_wal, '.', 1), 16) AS pg_catalog.bit(64)) AS pg_catalog.int8), -1) AS last_failed_wal_start_lsn
, EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time
FROM pg_catalog.pg_stat_archiver
metrics:
- archived_count:
usage: "COUNTER"
description: "Number of WAL files that have been successfully archived"
- failed_count:
usage: "COUNTER"
description: "Number of failed attempts for archiving WAL files"
- seconds_since_last_archival:
usage: "GAUGE"
description: "Seconds since the last successful archival operation"
- seconds_since_last_failure:
usage: "GAUGE"
description: "Seconds since the last failed archival operation"
- last_archived_time:
usage: "GAUGE"
description: "Epoch of the last time WAL archiving succeeded"
- last_failed_time:
usage: "GAUGE"
description: "Epoch of the last time WAL archiving failed"
- last_archived_wal_start_lsn:
usage: "GAUGE"
description: "Archived WAL start LSN"
- last_failed_wal_start_lsn:
usage: "GAUGE"
description: "Last failed WAL LSN"
- stats_reset_time:
usage: "GAUGE"
description: "Time at which these statistics were last reset"
pg_stat_bgwriter:
runonserver: "<17.0.0"
query: |
SELECT checkpoints_timed
, checkpoints_req
, checkpoint_write_time
, checkpoint_sync_time
, buffers_checkpoint
, buffers_clean
, maxwritten_clean
, buffers_backend
, buffers_backend_fsync
, buffers_alloc
FROM pg_catalog.pg_stat_bgwriter
metrics:
- checkpoints_timed:
usage: "COUNTER"
description: "Number of scheduled checkpoints that have been performed"
- checkpoints_req:
usage: "COUNTER"
description: "Number of requested checkpoints that have been performed"
- checkpoint_write_time:
usage: "COUNTER"
description: "Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk, in milliseconds"
- checkpoint_sync_time:
usage: "COUNTER"
description: "Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk, in milliseconds"
- buffers_checkpoint:
usage: "COUNTER"
description: "Number of buffers written during checkpoints"
- buffers_clean:
usage: "COUNTER"
description: "Number of buffers written by the background writer"
- maxwritten_clean:
usage: "COUNTER"
description: "Number of times the background writer stopped a cleaning scan because it had written too many buffers"
- buffers_backend:
usage: "COUNTER"
description: "Number of buffers written directly by a backend"
- buffers_backend_fsync:
usage: "COUNTER"
description: "Number of times a backend had to execute its own fsync call (normally the background writer handles those even when the backend does its own write)"
- buffers_alloc:
usage: "COUNTER"
description: "Number of buffers allocated"
pg_stat_bgwriter_17:
runonserver: ">=17.0.0"
name: pg_stat_bgwriter
query: |
SELECT buffers_clean
, maxwritten_clean
, buffers_alloc
, EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time
FROM pg_catalog.pg_stat_bgwriter
metrics:
- buffers_clean:
usage: "COUNTER"
description: "Number of buffers written by the background writer"
- maxwritten_clean:
usage: "COUNTER"
description: "Number of times the background writer stopped a cleaning scan because it had written too many buffers"
- buffers_alloc:
usage: "COUNTER"
description: "Number of buffers allocated"
- stats_reset_time:
usage: "GAUGE"
description: "Time at which these statistics were last reset"
pg_stat_checkpointer:
runonserver: ">=17.0.0"
query: |
SELECT num_timed AS checkpoints_timed
, num_requested AS checkpoints_req
, restartpoints_timed
, restartpoints_req
, restartpoints_done
, write_time
, sync_time
, buffers_written
, EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time
FROM pg_catalog.pg_stat_checkpointer
metrics:
- checkpoints_timed:
usage: "COUNTER"
description: "Number of scheduled checkpoints that have been performed"
- checkpoints_req:
usage: "COUNTER"
description: "Number of requested checkpoints that have been performed"
- restartpoints_timed:
usage: "COUNTER"
description: "Number of scheduled restartpoints due to timeout or after a failed attempt to perform it"
- restartpoints_req:
usage: "COUNTER"
description: "Number of requested restartpoints that have been performed"
- restartpoints_done:
usage: "COUNTER"
description: "Number of restartpoints that have been performed"
- write_time:
usage: "COUNTER"
description: "Total amount of time that has been spent in the portion of processing checkpoints and restartpoints where files are written to disk, in milliseconds"
- sync_time:
usage: "COUNTER"
description: "Total amount of time that has been spent in the portion of processing checkpoints and restartpoints where files are synchronized to disk, in milliseconds"
- buffers_written:
usage: "COUNTER"
description: "Number of buffers written during checkpoints and restartpoints"
- stats_reset_time:
usage: "GAUGE"
description: "Time at which these statistics were last reset"
pg_stat_database:
query: |
SELECT datname
, xact_commit
, xact_rollback
, blks_read
, blks_hit
, tup_returned
, tup_fetched
, tup_inserted
, tup_updated
, tup_deleted
, conflicts
, temp_files
, temp_bytes
, deadlocks
, blk_read_time
, blk_write_time
FROM pg_catalog.pg_stat_database
metrics:
- datname:
usage: "LABEL"
description: "Name of this database"
- xact_commit:
usage: "COUNTER"
description: "Number of transactions in this database that have been committed"
- xact_rollback:
usage: "COUNTER"
description: "Number of transactions in this database that have been rolled back"
- blks_read:
usage: "COUNTER"
description: "Number of disk blocks read in this database"
- blks_hit:
usage: "COUNTER"
description: "Number of times disk blocks were found already in the buffer cache, so that a read was not necessary (this only includes hits in the PostgreSQL buffer cache, not the operating system's file system cache)"
- tup_returned:
usage: "COUNTER"
description: "Number of rows returned by queries in this database"
- tup_fetched:
usage: "COUNTER"
description: "Number of rows fetched by queries in this database"
- tup_inserted:
usage: "COUNTER"
description: "Number of rows inserted by queries in this database"
- tup_updated:
usage: "COUNTER"
description: "Number of rows updated by queries in this database"
- tup_deleted:
usage: "COUNTER"
description: "Number of rows deleted by queries in this database"
- conflicts:
usage: "COUNTER"
description: "Number of queries canceled due to conflicts with recovery in this database"
- temp_files:
usage: "COUNTER"
description: "Number of temporary files created by queries in this database"
- temp_bytes:
usage: "COUNTER"
description: "Total amount of data written to temporary files by queries in this database"
- deadlocks:
usage: "COUNTER"
description: "Number of deadlocks detected in this database"
- blk_read_time:
usage: "COUNTER"
description: "Time spent reading data file blocks by backends in this database, in milliseconds"
- blk_write_time:
usage: "COUNTER"
description: "Time spent writing data file blocks by backends in this database, in milliseconds"
pg_stat_replication:
primary: true
query: |
SELECT usename
, COALESCE(application_name, '') AS application_name
, COALESCE(client_addr::text, '') AS client_addr
, COALESCE(client_port::text, '') AS client_port
, EXTRACT(EPOCH FROM backend_start) AS backend_start
, COALESCE(pg_catalog.age(backend_xmin), 0) AS backend_xmin_age
, pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), sent_lsn) AS sent_diff_bytes
, pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), write_lsn) AS write_diff_bytes
, pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), flush_lsn) AS flush_diff_bytes
, COALESCE(pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), replay_lsn),0) AS replay_diff_bytes
, COALESCE((EXTRACT(EPOCH FROM write_lag)),0)::float AS write_lag_seconds
, COALESCE((EXTRACT(EPOCH FROM flush_lag)),0)::float AS flush_lag_seconds
, COALESCE((EXTRACT(EPOCH FROM replay_lag)),0)::float AS replay_lag_seconds
FROM pg_catalog.pg_stat_replication
metrics:
- usename:
usage: "LABEL"
description: "Name of the replication user"
- application_name:
usage: "LABEL"
description: "Name of the application"
- client_addr:
usage: "LABEL"
description: "Client IP address"
- client_port:
usage: "LABEL"
description: "Client TCP port"
- backend_start:
usage: "COUNTER"
description: "Time when this process was started"
- backend_xmin_age:
usage: "COUNTER"
description: "The age of this standby's xmin horizon"
- sent_diff_bytes:
usage: "GAUGE"
description: "Difference in bytes from the last write-ahead log location sent on this connection"
- write_diff_bytes:
usage: "GAUGE"
description: "Difference in bytes from the last write-ahead log location written to disk by this standby server"
- flush_diff_bytes:
usage: "GAUGE"
description: "Difference in bytes from the last write-ahead log location flushed to disk by this standby server"
- replay_diff_bytes:
usage: "GAUGE"
description: "Difference in bytes from the last write-ahead log location replayed into the database on this standby server"
- write_lag_seconds:
usage: "GAUGE"
description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written it"
- flush_lag_seconds:
usage: "GAUGE"
description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written and flushed it"
- replay_lag_seconds:
usage: "GAUGE"
description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written, flushed and applied it"
pg_settings:
query: |
SELECT name,
CASE setting WHEN 'on' THEN '1' WHEN 'off' THEN '0' ELSE setting END AS setting
FROM pg_catalog.pg_settings
WHERE vartype IN ('integer', 'real', 'bool')
ORDER BY 1
metrics:
- name:
usage: "LABEL"
description: "Name of the setting"
- setting:
usage: "GAUGE"
description: "Setting value"
kind: ConfigMap
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/instance: cloudnative-pg
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cloudnative-pg
app.kubernetes.io/version: 1.25.0
cnpg.io/reload: ""
helm.sh/chart: cloudnative-pg-0.23.0
name: cnpg-default-monitoring
namespace: cnpg-system

430
rendered/envs/production/cloudnative-pg/customresourcedefinition-backups.postgresql.cnpg.io.yaml Normal file
View file

@ -0,0 +1,430 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
controller-gen.kubebuilder.io/version: v0.16.5
helm.sh/resource-policy: keep
name: backups.postgresql.cnpg.io
namespace: cnpg-system
spec:
group: postgresql.cnpg.io
names:
kind: Backup
listKind: BackupList
plural: backups
singular: backup
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .spec.cluster.name
name: Cluster
type: string
- jsonPath: .spec.method
name: Method
type: string
- jsonPath: .status.phase
name: Phase
type: string
- jsonPath: .status.error
name: Error
type: string
name: v1
schema:
openAPIV3Schema:
description: Backup is the Schema for the backups API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
Specification of the desired behavior of the backup.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
cluster:
description: The cluster to backup
properties:
name:
description: Name of the referent.
type: string
required:
- name
type: object
method:
default: barmanObjectStore
description: |-
The backup method to be used, possible options are `barmanObjectStore`,
`volumeSnapshot` or `plugin`. Defaults to: `barmanObjectStore`.
enum:
- barmanObjectStore
- volumeSnapshot
- plugin
type: string
online:
description: |-
Whether the default type of backup with volume snapshots is
online/hot (`true`, default) or offline/cold (`false`)
Overrides the default setting specified in the cluster field '.spec.backup.volumeSnapshot.online'
type: boolean
onlineConfiguration:
description: |-
Configuration parameters to control the online/hot backup with volume snapshots
Overrides the default settings specified in the cluster '.backup.volumeSnapshot.onlineConfiguration' stanza
properties:
immediateCheckpoint:
description: |-
Control whether the I/O workload for the backup initial checkpoint will
be limited, according to the `checkpoint_completion_target` setting on
the PostgreSQL server. If set to true, an immediate checkpoint will be
used, meaning PostgreSQL will complete the checkpoint as soon as
possible. `false` by default.
type: boolean
waitForArchive:
default: true
description: |-
If false, the function will return immediately after the backup is completed,
without waiting for WAL to be archived.
This behavior is only useful with backup software that independently monitors WAL archiving.
Otherwise, WAL required to make the backup consistent might be missing and make the backup useless.
By default, or when this parameter is true, pg_backup_stop will wait for WAL to be archived when archiving is
enabled.
On a standby, this means that it will wait only when archive_mode = always.
If write activity on the primary is low, it may be useful to run pg_switch_wal on the primary in order to trigger
an immediate segment switch.
type: boolean
type: object
pluginConfiguration:
description: Configuration parameters passed to the plugin managing this backup
properties:
name:
description: Name is the name of the plugin managing this backup
type: string
parameters:
additionalProperties:
type: string
description: |-
Parameters are the configuration parameters passed to the backup
plugin for this backup
type: object
required:
- name
type: object
target:
description: |-
The policy to decide which instance should perform this backup. If empty,
it defaults to `cluster.spec.backup.target`.
Available options are empty string, `primary` and `prefer-standby`.
`primary` to have backups run always on primary instances,
`prefer-standby` to have backups run preferably on the most updated
standby, if available.
enum:
- primary
- prefer-standby
type: string
required:
- cluster
type: object
status:
description: |-
Most recently observed status of the backup. This data may not be up to
date. Populated by the system. Read-only.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
azureCredentials:
description: The credentials to use to upload data to Azure Blob Storage
properties:
connectionString:
description: The connection string to be used
properties:
key:
description: The key to select
type: string
name:
description: Name of the referent.
type: string
required:
- key
- name
type: object
inheritFromAzureAD:
description: Use the Azure AD based authentication without providing explicitly the keys.
type: boolean
storageAccount:
description: The storage account where to upload data
properties:
key:
description: The key to select
type: string
name:
description: Name of the referent.
type: string
required:
- key
- name
type: object
storageKey:
description: |-
The storage account key to be used in conjunction
with the storage account name
properties:
key:
description: The key to select
type: string
name:
description: Name of the referent.
type: string
required:
- key
- name
type: object
storageSasToken:
description: |-
A shared-access-signature to be used in conjunction with
the storage account name
properties:
key:
description: The key to select
type: string
name:
description: Name of the referent.
type: string
required:
- key
- name
type: object
type: object
backupId:
description: The ID of the Barman backup
type: string
backupLabelFile:
description: Backup label file content as returned by Postgres in case of online (hot) backups
format: byte
type: string
backupName:
description: The Name of the Barman backup
type: string
beginLSN:
description: The starting xlog
type: string
beginWal:
description: The starting WAL
type: string
commandError:
description: The backup command output in case of error
type: string
commandOutput:
description: Unused. Retained for compatibility with old versions.
type: string
destinationPath:
description: |-
The path where to store the backup (i.e. s3://bucket/path/to/folder)
this path, with different destination folders, will be used for WALs
and for data. This may not be populated in case of errors.
type: string
encryption:
description: Encryption method required to S3 API
type: string
endLSN:
description: The ending xlog
type: string
endWal:
description: The ending WAL
type: string
endpointCA:
description: |-
EndpointCA store the CA bundle of the barman endpoint.
Useful when using self-signed certificates to avoid
errors with certificate issuer and barman-cloud-wal-archive.
properties:
key:
description: The key to select
type: string
name:
description: Name of the referent.
type: string
required:
- key
- name
type: object
endpointURL:
description: |-
Endpoint to be used to upload data to the cloud,
overriding the automatic endpoint discovery
type: string
error:
description: The detected error
type: string
googleCredentials:
description: The credentials to use to upload data to Google Cloud Storage
properties:
applicationCredentials:
description: The secret containing the Google Cloud Storage JSON file with the credentials
properties:
key:
description: The key to select
type: string
name:
description: Name of the referent.
type: string
required:
- key
- name
type: object
gkeEnvironment:
description: |-
If set to true, will presume that it's running inside a GKE environment,
default to false.
type: boolean
type: object
instanceID:
description: Information to identify the instance where the backup has been taken from
properties:
ContainerID:
description: The container ID
type: string
podName:
description: The pod name
type: string
type: object
method:
description: The backup method being used
type: string
online:
description: Whether the backup was online/hot (`true`) or offline/cold (`false`)
type: boolean
phase:
description: The last backup status
type: string
pluginMetadata:
additionalProperties:
type: string
description: A map containing the plugin metadata
type: object
s3Credentials:
description: The credentials to use to upload data to S3
properties:
accessKeyId:
description: The reference to the access key id
properties:
key:
description: The key to select
type: string
name:
description: Name of the referent.
type: string
required:
- key
- name
type: object
inheritFromIAMRole:
description: Use the role based authentication without providing explicitly the keys.
type: boolean
region:
description: The reference to the secret containing the region name
properties:
key:
description: The key to select
type: string
name:
description: Name of the referent.
type: string
required:
- key
- name
type: object
secretAccessKey:
description: The reference to the secret access key
properties:
key:
description: The key to select
type: string
name:
description: Name of the referent.
type: string
required:
- key
- name
type: object
sessionToken:
description: The references to the session key
properties:
key:
description: The key to select
type: string
name:
description: Name of the referent.
type: string
required:
- key
- name
type: object
type: object
serverName:
description: |-
The server name on S3, the cluster name is used if this
parameter is omitted
type: string
snapshotBackupStatus:
description: Status of the volumeSnapshot backup
properties:
elements:
description: The elements list, populated with the gathered volume snapshots
items:
description: BackupSnapshotElementStatus is a volume snapshot that is part of a volume snapshot method backup
properties:
name:
description: Name is the snapshot resource name
type: string
tablespaceName:
description: |-
TablespaceName is the name of the snapshotted tablespace. Only set
when type is PG_TABLESPACE
type: string
type:
description: Type is tho role of the snapshot in the cluster, such as PG_DATA, PG_WAL and PG_TABLESPACE
type: string
required:
- name
- type
type: object
type: array
type: object
startedAt:
description: When the backup was started
format: date-time
type: string
stoppedAt:
description: When the backup was terminated
format: date-time
type: string
tablespaceMapFile:
description: Tablespace map file content as returned by Postgres in case of online (hot) backups
format: byte
type: string
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
subresources:
status: {}

81
rendered/envs/production/cloudnative-pg/customresourcedefinition-clusterimagecatalogs.postgresql.cnpg.io.yaml Normal file
View file

@ -0,0 +1,81 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
controller-gen.kubebuilder.io/version: v0.16.5
helm.sh/resource-policy: keep
name: clusterimagecatalogs.postgresql.cnpg.io
namespace: cnpg-system
spec:
group: postgresql.cnpg.io
names:
kind: ClusterImageCatalog
listKind: ClusterImageCatalogList
plural: clusterimagecatalogs
singular: clusterimagecatalog
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: ClusterImageCatalog is the Schema for the clusterimagecatalogs API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
Specification of the desired behavior of the ClusterImageCatalog.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
images:
description: List of CatalogImages available in the catalog
items:
description: CatalogImage defines the image and major version
properties:
image:
description: The image reference
type: string
major:
description: The PostgreSQL major version of the image. Must be unique within the catalog.
minimum: 10
type: integer
required:
- image
- major
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-validations:
- message: Images must have unique major versions
rule: self.all(e, self.filter(f, f.major==e.major).size() == 1)
required:
- images
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
subresources: {}

6188
rendered/envs/production/cloudnative-pg/customresourcedefinition-clusters.postgresql.cnpg.io.yaml Normal file
View file

File diff suppressed because it is too large Load diff

261
rendered/envs/production/cloudnative-pg/customresourcedefinition-databases.postgresql.cnpg.io.yaml Normal file
View file

@ -0,0 +1,261 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
controller-gen.kubebuilder.io/version: v0.16.5
helm.sh/resource-policy: keep
name: databases.postgresql.cnpg.io
namespace: cnpg-system
spec:
group: postgresql.cnpg.io
names:
kind: Database
listKind: DatabaseList
plural: databases
singular: database
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .spec.cluster.name
name: Cluster
type: string
- jsonPath: .spec.name
name: PG Name
type: string
- jsonPath: .status.applied
name: Applied
type: boolean
- description: Latest reconciliation message
jsonPath: .status.message
name: Message
type: string
name: v1
schema:
openAPIV3Schema:
description: Database is the Schema for the databases API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
Specification of the desired Database.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
allowConnections:
description: |-
Maps to the `ALLOW_CONNECTIONS` parameter of `CREATE DATABASE` and
`ALTER DATABASE`. If false then no one can connect to this database.
type: boolean
builtinLocale:
description: |-
Maps to the `BUILTIN_LOCALE` parameter of `CREATE DATABASE`. This
setting cannot be changed. Specifies the locale name when the
builtin provider is used. This option requires `localeProvider` to
be set to `builtin`. Available from PostgreSQL 17.
type: string
x-kubernetes-validations:
- message: builtinLocale is immutable
rule: self == oldSelf
cluster:
description: The name of the PostgreSQL cluster hosting the database.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
collationVersion:
description: |-
Maps to the `COLLATION_VERSION` parameter of `CREATE DATABASE`. This
setting cannot be changed.
type: string
x-kubernetes-validations:
- message: collationVersion is immutable
rule: self == oldSelf
connectionLimit:
description: |-
Maps to the `CONNECTION LIMIT` clause of `CREATE DATABASE` and
`ALTER DATABASE`. How many concurrent connections can be made to
this database. -1 (the default) means no limit.
type: integer
databaseReclaimPolicy:
default: retain
description: The policy for end-of-life maintenance of this database.
enum:
- delete
- retain
type: string
encoding:
description: |-
Maps to the `ENCODING` parameter of `CREATE DATABASE`. This setting
cannot be changed. Character set encoding to use in the database.
type: string
x-kubernetes-validations:
- message: encoding is immutable
rule: self == oldSelf
ensure:
default: present
description: Ensure the PostgreSQL database is `present` or `absent` - defaults to "present".
enum:
- present
- absent
type: string
icuLocale:
description: |-
Maps to the `ICU_LOCALE` parameter of `CREATE DATABASE`. This
setting cannot be changed. Specifies the ICU locale when the ICU
provider is used. This option requires `localeProvider` to be set to
`icu`. Available from PostgreSQL 15.
type: string
x-kubernetes-validations:
- message: icuLocale is immutable
rule: self == oldSelf
icuRules:
description: |-
Maps to the `ICU_RULES` parameter of `CREATE DATABASE`. This setting
cannot be changed. Specifies additional collation rules to customize
the behavior of the default collation. This option requires
`localeProvider` to be set to `icu`. Available from PostgreSQL 16.
type: string
x-kubernetes-validations:
- message: icuRules is immutable
rule: self == oldSelf
isTemplate:
description: |-
Maps to the `IS_TEMPLATE` parameter of `CREATE DATABASE` and `ALTER
DATABASE`. If true, this database is considered a template and can
be cloned by any user with `CREATEDB` privileges.
type: boolean
locale:
description: |-
Maps to the `LOCALE` parameter of `CREATE DATABASE`. This setting
cannot be changed. Sets the default collation order and character
classification in the new database.
type: string
x-kubernetes-validations:
- message: locale is immutable
rule: self == oldSelf
localeCType:
description: |-
Maps to the `LC_CTYPE` parameter of `CREATE DATABASE`. This setting
cannot be changed.
type: string
x-kubernetes-validations:
- message: localeCType is immutable
rule: self == oldSelf
localeCollate:
description: |-
Maps to the `LC_COLLATE` parameter of `CREATE DATABASE`. This
setting cannot be changed.
type: string
x-kubernetes-validations:
- message: localeCollate is immutable
rule: self == oldSelf
localeProvider:
description: |-
Maps to the `LOCALE_PROVIDER` parameter of `CREATE DATABASE`. This
setting cannot be changed. This option sets the locale provider for
databases created in the new cluster. Available from PostgreSQL 16.
type: string
x-kubernetes-validations:
- message: localeProvider is immutable
rule: self == oldSelf
name:
description: The name of the database to create inside PostgreSQL. This setting cannot be changed.
type: string
x-kubernetes-validations:
- message: name is immutable
rule: self == oldSelf
- message: the name postgres is reserved
rule: self != 'postgres'
- message: the name template0 is reserved
rule: self != 'template0'
- message: the name template1 is reserved
rule: self != 'template1'
owner:
description: |-
Maps to the `OWNER` parameter of `CREATE DATABASE`.
Maps to the `OWNER TO` command of `ALTER DATABASE`.
The role name of the user who owns the database inside PostgreSQL.
type: string
tablespace:
description: |-
Maps to the `TABLESPACE` parameter of `CREATE DATABASE`.
Maps to the `SET TABLESPACE` command of `ALTER DATABASE`.
The name of the tablespace (in PostgreSQL) that will be associated
with the new database. This tablespace will be the default
tablespace used for objects created in this database.
type: string
template:
description: |-
Maps to the `TEMPLATE` parameter of `CREATE DATABASE`. This setting
cannot be changed. The name of the template from which to create
this database.
type: string
x-kubernetes-validations:
- message: template is immutable
rule: self == oldSelf
required:
- cluster
- name
- owner
type: object
x-kubernetes-validations:
- message: builtinLocale is only available when localeProvider is set to `builtin`
rule: '!has(self.builtinLocale) || self.localeProvider == ''builtin'''
- message: icuLocale is only available when localeProvider is set to `icu`
rule: '!has(self.icuLocale) || self.localeProvider == ''icu'''
- message: icuRules is only available when localeProvider is set to `icu`
rule: '!has(self.icuRules) || self.localeProvider == ''icu'''
status:
description: |-
Most recently observed status of the Database. This data may not be up to
date. Populated by the system. Read-only.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
applied:
description: Applied is true if the database was reconciled correctly
type: boolean
message:
description: Message is the reconciliation output message
type: string
observedGeneration:
description: |-
A sequence number representing the latest
desired state that was synchronized
format: int64
type: integer
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
subresources:
status: {}

81
rendered/envs/production/cloudnative-pg/customresourcedefinition-imagecatalogs.postgresql.cnpg.io.yaml Normal file
View file

@ -0,0 +1,81 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
controller-gen.kubebuilder.io/version: v0.16.5
helm.sh/resource-policy: keep
name: imagecatalogs.postgresql.cnpg.io
namespace: cnpg-system
spec:
group: postgresql.cnpg.io
names:
kind: ImageCatalog
listKind: ImageCatalogList
plural: imagecatalogs
singular: imagecatalog
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: ImageCatalog is the Schema for the imagecatalogs API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
Specification of the desired behavior of the ImageCatalog.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
images:
description: List of CatalogImages available in the catalog
items:
description: CatalogImage defines the image and major version
properties:
image:
description: The image reference
type: string
major:
description: The PostgreSQL major version of the image. Must be unique within the catalog.
minimum: 10
type: integer
required:
- image
- major
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-validations:
- message: Images must have unique major versions
rule: self.all(e, self.filter(f, f.major==e.major).size() == 1)
required:
- images
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
subresources: {}

8460
rendered/envs/production/cloudnative-pg/customresourcedefinition-poolers.postgresql.cnpg.io.yaml Normal file
View file

File diff suppressed because it is too large Load diff

190
rendered/envs/production/cloudnative-pg/customresourcedefinition-publications.postgresql.cnpg.io.yaml Normal file
View file

@ -0,0 +1,190 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
controller-gen.kubebuilder.io/version: v0.16.5
helm.sh/resource-policy: keep
name: publications.postgresql.cnpg.io
namespace: cnpg-system
spec:
group: postgresql.cnpg.io
names:
kind: Publication
listKind: PublicationList
plural: publications
singular: publication
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .spec.cluster.name
name: Cluster
type: string
- jsonPath: .spec.name
name: PG Name
type: string
- jsonPath: .status.applied
name: Applied
type: boolean
- description: Latest reconciliation message
jsonPath: .status.message
name: Message
type: string
name: v1
schema:
openAPIV3Schema:
description: Publication is the Schema for the publications API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: PublicationSpec defines the desired state of Publication
properties:
cluster:
description: The name of the PostgreSQL cluster that identifies the "publisher"
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
dbname:
description: |-
The name of the database where the publication will be installed in
the "publisher" cluster
type: string
x-kubernetes-validations:
- message: dbname is immutable
rule: self == oldSelf
name:
description: The name of the publication inside PostgreSQL
type: string
x-kubernetes-validations:
- message: name is immutable
rule: self == oldSelf
parameters:
additionalProperties:
type: string
description: |-
Publication parameters part of the `WITH` clause as expected by
PostgreSQL `CREATE PUBLICATION` command
type: object
publicationReclaimPolicy:
default: retain
description: The policy for end-of-life maintenance of this publication
enum:
- delete
- retain
type: string
target:
description: Target of the publication as expected by PostgreSQL `CREATE PUBLICATION` command
properties:
allTables:
description: |-
Marks the publication as one that replicates changes for all tables
in the database, including tables created in the future.
Corresponding to `FOR ALL TABLES` in PostgreSQL.
type: boolean
x-kubernetes-validations:
- message: allTables is immutable
rule: self == oldSelf
objects:
description: Just the following schema objects
items:
description: PublicationTargetObject is an object to publish
properties:
table:
description: |-
Specifies a list of tables to add to the publication. Corresponding
to `FOR TABLE` in PostgreSQL.
properties:
columns:
description: The columns to publish
items:
type: string
type: array
name:
description: The table name
type: string
only:
description: Whether to limit to the table only or include all its descendants
type: boolean
schema:
description: The schema name
type: string
required:
- name
type: object
tablesInSchema:
description: |-
Marks the publication as one that replicates changes for all tables
in the specified list of schemas, including tables created in the
future. Corresponding to `FOR TABLES IN SCHEMA` in PostgreSQL.
type: string
type: object
x-kubernetes-validations:
- message: tablesInSchema and table are mutually exclusive
rule: (has(self.tablesInSchema) && !has(self.table)) || (!has(self.tablesInSchema) && has(self.table))
maxItems: 100000
type: array
x-kubernetes-validations:
- message: specifying a column list when the publication also publishes tablesInSchema is not supported
rule: '!(self.exists(o, has(o.table) && has(o.table.columns)) && self.exists(o, has(o.tablesInSchema)))'
type: object
x-kubernetes-validations:
- message: allTables and objects are mutually exclusive
rule: (has(self.allTables) && !has(self.objects)) || (!has(self.allTables) && has(self.objects))
required:
- cluster
- dbname
- name
- target
type: object
status:
description: PublicationStatus defines the observed state of Publication
properties:
applied:
description: Applied is true if the publication was reconciled correctly
type: boolean
message:
description: Message is the reconciliation output message
type: string
observedGeneration:
description: |-
A sequence number representing the latest
desired state that was synchronized
format: int64
type: integer
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
subresources:
status: {}

190
rendered/envs/production/cloudnative-pg/customresourcedefinition-scheduledbackups.postgresql.cnpg.io.yaml Normal file
View file

@ -0,0 +1,190 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
controller-gen.kubebuilder.io/version: v0.16.5
helm.sh/resource-policy: keep
name: scheduledbackups.postgresql.cnpg.io
namespace: cnpg-system
spec:
group: postgresql.cnpg.io
names:
kind: ScheduledBackup
listKind: ScheduledBackupList
plural: scheduledbackups
singular: scheduledbackup
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .spec.cluster.name
name: Cluster
type: string
- jsonPath: .status.lastScheduleTime
name: Last Backup
type: date
name: v1
schema:
openAPIV3Schema:
description: ScheduledBackup is the Schema for the scheduledbackups API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
Specification of the desired behavior of the ScheduledBackup.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
backupOwnerReference:
default: none
description: |-
Indicates which ownerReference should be put inside the created backup resources.<br />
- none: no owner reference for created backup objects (same behavior as before the field was introduced)<br />
- self: sets the Scheduled backup object as owner of the backup<br />
- cluster: set the cluster as owner of the backup<br />
enum:
- none
- self
- cluster
type: string
cluster:
description: The cluster to backup
properties:
name:
description: Name of the referent.
type: string
required:
- name
type: object
immediate:
description: If the first backup has to be immediately start after creation or not
type: boolean
method:
default: barmanObjectStore
description: |-
The backup method to be used, possible options are `barmanObjectStore`,
`volumeSnapshot` or `plugin`. Defaults to: `barmanObjectStore`.
enum:
- barmanObjectStore
- volumeSnapshot
- plugin
type: string
online:
description: |-
Whether the default type of backup with volume snapshots is
online/hot (`true`, default) or offline/cold (`false`)
Overrides the default setting specified in the cluster field '.spec.backup.volumeSnapshot.online'
type: boolean
onlineConfiguration:
description: |-
Configuration parameters to control the online/hot backup with volume snapshots
Overrides the default settings specified in the cluster '.backup.volumeSnapshot.onlineConfiguration' stanza
properties:
immediateCheckpoint:
description: |-
Control whether the I/O workload for the backup initial checkpoint will
be limited, according to the `checkpoint_completion_target` setting on
the PostgreSQL server. If set to true, an immediate checkpoint will be
used, meaning PostgreSQL will complete the checkpoint as soon as
possible. `false` by default.
type: boolean
waitForArchive:
default: true
description: |-
If false, the function will return immediately after the backup is completed,
without waiting for WAL to be archived.
This behavior is only useful with backup software that independently monitors WAL archiving.
Otherwise, WAL required to make the backup consistent might be missing and make the backup useless.
By default, or when this parameter is true, pg_backup_stop will wait for WAL to be archived when archiving is
enabled.
On a standby, this means that it will wait only when archive_mode = always.
If write activity on the primary is low, it may be useful to run pg_switch_wal on the primary in order to trigger
an immediate segment switch.
type: boolean
type: object
pluginConfiguration:
description: Configuration parameters passed to the plugin managing this backup
properties:
name:
description: Name is the name of the plugin managing this backup
type: string
parameters:
additionalProperties:
type: string
description: |-
Parameters are the configuration parameters passed to the backup
plugin for this backup
type: object
required:
- name
type: object
schedule:
description: |-
The schedule does not follow the same format used in Kubernetes CronJobs
as it includes an additional seconds specifier,
see https://pkg.go.dev/github.com/robfig/cron#hdr-CRON_Expression_Format
type: string
suspend:
description: If this backup is suspended or not
type: boolean
target:
description: |-
The policy to decide which instance should perform this backup. If empty,
it defaults to `cluster.spec.backup.target`.
Available options are empty string, `primary` and `prefer-standby`.
`primary` to have backups run always on primary instances,
`prefer-standby` to have backups run preferably on the most updated
standby, if available.
enum:
- primary
- prefer-standby
type: string
required:
- cluster
- schedule
type: object
status:
description: |-
Most recently observed status of the ScheduledBackup. This data may not be up
to date. Populated by the system. Read-only.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
lastCheckTime:
description: The latest time the schedule
format: date-time
type: string
lastScheduleTime:
description: Information when was the last time that backup was successfully scheduled.
format: date-time
type: string
nextScheduleTime:
description: Next time we will run a backup
format: date-time
type: string
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
subresources:
status: {}

146
rendered/envs/production/cloudnative-pg/customresourcedefinition-subscriptions.postgresql.cnpg.io.yaml Normal file
View file

@ -0,0 +1,146 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
controller-gen.kubebuilder.io/version: v0.16.5
helm.sh/resource-policy: keep
name: subscriptions.postgresql.cnpg.io
namespace: cnpg-system
spec:
group: postgresql.cnpg.io
names:
kind: Subscription
listKind: SubscriptionList
plural: subscriptions
singular: subscription
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .spec.cluster.name
name: Cluster
type: string
- jsonPath: .spec.name
name: PG Name
type: string
- jsonPath: .status.applied
name: Applied
type: boolean
- description: Latest reconciliation message
jsonPath: .status.message
name: Message
type: string
name: v1
schema:
openAPIV3Schema:
description: Subscription is the Schema for the subscriptions API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: SubscriptionSpec defines the desired state of Subscription
properties:
cluster:
description: The name of the PostgreSQL cluster that identifies the "subscriber"
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
dbname:
description: |-
The name of the database where the publication will be installed in
the "subscriber" cluster
type: string
x-kubernetes-validations:
- message: dbname is immutable
rule: self == oldSelf
externalClusterName:
description: The name of the external cluster with the publication ("publisher")
type: string
name:
description: The name of the subscription inside PostgreSQL
type: string
x-kubernetes-validations:
- message: name is immutable
rule: self == oldSelf
parameters:
additionalProperties:
type: string
description: |-
Subscription parameters part of the `WITH` clause as expected by
PostgreSQL `CREATE SUBSCRIPTION` command
type: object
publicationDBName:
description: |-
The name of the database containing the publication on the external
cluster. Defaults to the one in the external cluster definition.
type: string
publicationName:
description: |-
The name of the publication inside the PostgreSQL database in the
"publisher"
type: string
subscriptionReclaimPolicy:
default: retain
description: The policy for end-of-life maintenance of this subscription
enum:
- delete
- retain
type: string
required:
- cluster
- dbname
- externalClusterName
- name
- publicationName
type: object
status:
description: SubscriptionStatus defines the observed state of Subscription
properties:
applied:
description: Applied is true if the subscription was reconciled correctly
type: boolean
message:
description: Message is the reconciliation output message
type: string
observedGeneration:
description: |-
A sequence number representing the latest
desired state that was synchronized
format: int64
type: integer
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
subresources:
status: {}

99
rendered/envs/production/cloudnative-pg/deployment-cloudnative-pg.yaml Normal file
View file

@ -0,0 +1,99 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/instance: cloudnative-pg
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cloudnative-pg
app.kubernetes.io/version: 1.25.0
helm.sh/chart: cloudnative-pg-0.23.0
name: cloudnative-pg
namespace: cnpg-system
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: cloudnative-pg
app.kubernetes.io/name: cloudnative-pg
template:
metadata:
annotations:
checksum/config: 58eeb2f6847432d54310c44a01db93c370f722309827d3a3177b36183ae7399b
checksum/monitoring-config: 794b973f78a96e769be960221b62b1168deb2bc532c5b16b31096bbe801d2d54
checksum/rbac: f8bdccd5b7485612eb3d8e0b5b10c9916c9d017418e2862f96a78a9206b9e091
labels:
app.kubernetes.io/instance: cloudnative-pg
app.kubernetes.io/name: cloudnative-pg
spec:
containers:
- args:
- controller
- --leader-elect
- --max-concurrent-reconciles=10
- --config-map-name=cnpg-controller-manager-config
- --webhook-port=9443
command:
- /manager
env:
- name: OPERATOR_IMAGE_NAME
value: ghcr.io/cloudnative-pg/cloudnative-pg:1.25.0
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MONITORING_QUERIES_CONFIGMAP
value: cnpg-default-monitoring
image: ghcr.io/cloudnative-pg/cloudnative-pg:1.25.0
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /readyz
port: 9443
scheme: HTTPS
initialDelaySeconds: 3
name: manager
ports:
- containerPort: 8080
name: metrics
protocol: TCP
- containerPort: 9443
name: webhook-server
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 9443
scheme: HTTPS
initialDelaySeconds: 3
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsUser: 10001
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /controller
name: scratch-data
- mountPath: /run/secrets/cnpg.io/webhook
name: webhook-certificates
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: cloudnative-pg
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: scratch-data
- name: webhook-certificates
secret:
defaultMode: 420
optional: true
secretName: cnpg-webhook-cert

77
rendered/envs/production/cloudnative-pg/mutatingwebhookconfiguration-cnpg-mutating-webhook-configuration.yaml Normal file
View file

@ -0,0 +1,77 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/instance: cloudnative-pg
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cloudnative-pg
app.kubernetes.io/version: 1.25.0
helm.sh/chart: cloudnative-pg-0.23.0
name: cnpg-mutating-webhook-configuration
namespace: cnpg-system
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: cnpg-webhook-service
namespace: cnpg-system
path: /mutate-postgresql-cnpg-io-v1-backup
port: 443
failurePolicy: Fail
name: mbackup.cnpg.io
rules:
- apiGroups:
- postgresql.cnpg.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- backups
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: cnpg-webhook-service
namespace: cnpg-system
path: /mutate-postgresql-cnpg-io-v1-cluster
port: 443
failurePolicy: Fail
name: mcluster.cnpg.io
rules:
- apiGroups:
- postgresql.cnpg.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- clusters
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: cnpg-webhook-service
namespace: cnpg-system
path: /mutate-postgresql-cnpg-io-v1-scheduledbackup
port: 443
failurePolicy: Fail
name: mscheduledbackup.cnpg.io
rules:
- apiGroups:
- postgresql.cnpg.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- scheduledbackups
sideEffects: None

9
rendered/envs/production/cloudnative-pg/namespace-cnpg-system.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Namespace
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
pod-security.kubernetes.io/enforce: privileged
name: cnpg-system
namespace: cnpg-system

22
rendered/envs/production/cloudnative-pg/service-cnpg-webhook-service.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: v1
kind: Service
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/instance: cloudnative-pg
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cloudnative-pg
app.kubernetes.io/version: 1.25.0
helm.sh/chart: cloudnative-pg-0.23.0
name: cnpg-webhook-service
namespace: cnpg-system
spec:
ports:
- name: webhook-server
port: 443
targetPort: webhook-server
selector:
app.kubernetes.io/instance: cloudnative-pg
app.kubernetes.io/name: cloudnative-pg
type: ClusterIP

13
rendered/envs/production/cloudnative-pg/serviceaccount-cloudnative-pg.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/instance: cloudnative-pg
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cloudnative-pg
app.kubernetes.io/version: 1.25.0
helm.sh/chart: cloudnative-pg-0.23.0
name: cloudnative-pg
namespace: cnpg-system

98
rendered/envs/production/cloudnative-pg/validatingwebhookconfiguration-cnpg-validating-webhook-configuration.yaml Normal file
View file

@ -0,0 +1,98 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/instance: cloudnative-pg
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cloudnative-pg
app.kubernetes.io/version: 1.25.0
helm.sh/chart: cloudnative-pg-0.23.0
name: cnpg-validating-webhook-configuration
namespace: cnpg-system
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: cnpg-webhook-service
namespace: cnpg-system
path: /validate-postgresql-cnpg-io-v1-backup
port: 443
failurePolicy: Fail
name: vbackup.cnpg.io
rules:
- apiGroups:
- postgresql.cnpg.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- backups
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: cnpg-webhook-service
namespace: cnpg-system
path: /validate-postgresql-cnpg-io-v1-cluster
port: 443
failurePolicy: Fail
name: vcluster.cnpg.io
rules:
- apiGroups:
- postgresql.cnpg.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- clusters
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: cnpg-webhook-service
namespace: cnpg-system
path: /validate-postgresql-cnpg-io-v1-scheduledbackup
port: 443
failurePolicy: Fail
name: vscheduledbackup.cnpg.io
rules:
- apiGroups:
- postgresql.cnpg.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- scheduledbackups
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: cnpg-webhook-service
namespace: cnpg-system
path: /validate-postgresql-cnpg-io-v1-pooler
port: 443
failurePolicy: Fail
name: vpooler.cnpg.io
rules:
- apiGroups:
- postgresql.cnpg.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- poolers
sideEffects: None

29
rendered/envs/production/forgejo/cluster-forgejo-cnpg.yaml Normal file
View file

@ -0,0 +1,29 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
name: forgejo-cnpg
namespace: forgejo
spec:
bootstrap:
initdb:
database: forgejo
owner: forgejo
instances: 2
postgresql:
parameters:
effective_cache_size: 128MB
maintenance_work_mem: 32MB
max_connections: "50"
shared_buffers: 64MB
work_mem: 4MB
resources:
limits:
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
storage:
size: 5Gi
storageClass: hcloud-volumes

11
rendered/envs/production/forgejo/deployment-forgejo.yaml
View file

@ -14,7 +14,7 @@ metadata:
name: forgejo name: forgejo
namespace: forgejo namespace: forgejo
spec: spec:
replicas: 0 replicas: 1
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/instance: forgejo app.kubernetes.io/instance: forgejo
@ -24,7 +24,7 @@ spec:
template: template:
metadata: metadata:
annotations: annotations:
checksum/config: 507b290a6b8e8566a121f0f35baf2cd5e6fc4b3b8560e8452ce70c812b11fde5 checksum/config: 5db583674387f2efbbeb9ed020a3fdff3f9f8cf129663421f38cbb6e20d720a8
labels: labels:
app: forgejo app: forgejo
app.kubernetes.io/instance: forgejo app.kubernetes.io/instance: forgejo
@ -123,6 +123,11 @@ spec:
value: /data value: /data
- name: GITEA_TEMP - name: GITEA_TEMP
value: /tmp/gitea value: /tmp/gitea
- name: FORGEJO__DATABASE__PASSWD
valueFrom:
secretKeyRef:
key: password
name: forgejo-cnpg-app
image: codeberg.org/forgejo/forgejo:7.0.3-rootless image: codeberg.org/forgejo/forgejo:7.0.3-rootless
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: init-app-ini name: init-app-ini
@ -202,4 +207,4 @@ spec:
name: temp name: temp
- name: data - name: data
persistentVolumeClaim: persistentVolumeClaim:
claimName: gitea-shared-storage claimName: forgejo-git-storage

6
rendered/envs/production/forgejo/persistentvolumeclaim-gitea-shared-storage.yaml → rendered/envs/production/forgejo/persistentvolumeclaim-forgejo-git-storage.yaml
View file

@ -4,12 +4,12 @@ metadata:
annotations: annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
name: gitea-shared-storage name: forgejo-git-storage
namespace: forgejo namespace: forgejo
spec: spec:
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
resources: resources:
requests: requests:
storage: 10Gi storage: 20Gi
volumeMode: Filesystem storageClassName: hcloud-volumes

8
rendered/envs/production/forgejo/secret-forgejo-inline-config.yaml
View file

@ -21,7 +21,13 @@ stringData:
cache: |- cache: |-
ADAPTER=memory ADAPTER=memory
HOST= HOST=
database: DB_TYPE=sqlite3 database: |-
DB_TYPE=postgres
HOST=forgejo-cnpg-rw.forgejo.svc:5432
NAME=forgejo
SCHEMA=public
SSL_MODE=disable
USER=forgejo
indexer: ISSUE_INDEXER_TYPE=db indexer: ISSUE_INDEXER_TYPE=db
metrics: ENABLED=false metrics: ENABLED=false
queue: |- queue: |-

144
rendered/envs/production/hcloud-csi/clusterrole-hcloud-csi-controller.yaml Normal file
View file

@ -0,0 +1,144 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: hcloud-csi
helm.sh/chart: hcloud-csi-2.12.0
name: hcloud-csi-controller
namespace: kube-system
rules:
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- csi.storage.k8s.io
resources:
- csinodeinfos
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments/status
verbs:
- patch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- create
- delete
- patch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
- persistentvolumeclaims/status
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- list
- watch
- create
- update
- patch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- get
- list
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotcontents
verbs:
- get
- list
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- get
- list
- watch
- create
- update
- patch

21
rendered/envs/production/hcloud-csi/clusterrolebinding-hcloud-csi-controller.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: hcloud-csi
helm.sh/chart: hcloud-csi-2.12.0
name: hcloud-csi-controller
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: hcloud-csi-controller
subjects:
- kind: ServiceAccount
name: hcloud-csi-controller
namespace: kube-system

14
rendered/envs/production/hcloud-csi/csidriver-csi.hetzner.cloud.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
name: csi.hetzner.cloud
namespace: kube-system
spec:
attachRequired: true
fsGroupPolicy: File
podInfoOnMount: true
seLinuxMount: true
volumeLifecycleModes:
- Persistent

130
rendered/envs/production/hcloud-csi/daemonset-hcloud-csi-node.yaml Normal file
View file

@ -0,0 +1,130 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app: hcloud-csi
app.kubernetes.io/component: node
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: hcloud-csi
helm.sh/chart: hcloud-csi-2.12.0
name: hcloud-csi-node
namespace: kube-system
spec:
selector:
matchLabels:
app.kubernetes.io/component: node
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/name: hcloud-csi
template:
metadata:
labels:
app.kubernetes.io/component: node
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: hcloud-csi
helm.sh/chart: hcloud-csi-2.12.0
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: instance.hetzner.cloud/is-root-server
operator: NotIn
values:
- "true"
- key: instance.hetzner.cloud/provided-by
operator: NotIn
values:
- robot
containers:
- args:
- --kubelet-registration-path=/var/lib/kubelet/plugins/csi.hetzner.cloud/socket
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.13.0
imagePullPolicy: IfNotPresent
name: csi-node-driver-registrar
resources:
limits: {}
requests: {}
volumeMounts:
- mountPath: /run/csi
name: plugin-dir
- mountPath: /registration
name: registration-dir
- image: registry.k8s.io/sig-storage/livenessprobe:v2.15.0
imagePullPolicy: IfNotPresent
name: liveness-probe
resources:
limits: {}
requests: {}
volumeMounts:
- mountPath: /run/csi
name: plugin-dir
- command:
- /bin/hcloud-csi-driver-node
env:
- name: CSI_ENDPOINT
value: unix:///run/csi/socket
- name: ENABLE_METRICS
value: "false"
image: docker.io/hetznercloud/hcloud-csi-driver:v2.12.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 3
name: hcloud-csi-driver
ports:
- containerPort: 9808
name: healthz
protocol: TCP
resources:
limits: {}
requests: {}
securityContext:
privileged: true
volumeMounts:
- mountPath: /var/lib/kubelet
mountPropagation: Bidirectional
name: kubelet-dir
- mountPath: /run/csi
name: plugin-dir
- mountPath: /dev
name: device-dir
initContainers: null
securityContext:
fsGroup: 1001
tolerations:
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
volumes:
- hostPath:
path: /var/lib/kubelet
type: Directory
name: kubelet-dir
- hostPath:
path: /var/lib/kubelet/plugins/csi.hetzner.cloud/
type: DirectoryOrCreate
name: plugin-dir
- hostPath:
path: /var/lib/kubelet/plugins_registry/
type: Directory
name: registration-dir
- hostPath:
path: /dev
type: Directory
name: device-dir
updateStrategy:
type: RollingUpdate

130
rendered/envs/production/hcloud-csi/deployment-hcloud-csi-controller.yaml Normal file
View file

@ -0,0 +1,130 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app: hcloud-csi-controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: hcloud-csi
helm.sh/chart: hcloud-csi-2.12.0
name: hcloud-csi-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/name: hcloud-csi
strategy:
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: hcloud-csi
helm.sh/chart: hcloud-csi-2.12.0
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: instance.hetzner.cloud/provided-by
operator: In
values:
- cloud
weight: 1
containers:
- args:
- --default-fstype=ext4
image: registry.k8s.io/sig-storage/csi-attacher:v4.8.0
imagePullPolicy: IfNotPresent
name: csi-attacher
resources:
limits: {}
requests: {}
volumeMounts:
- mountPath: /run/csi
name: socket-dir
- image: registry.k8s.io/sig-storage/csi-resizer:v1.12.0
imagePullPolicy: IfNotPresent
name: csi-resizer
resources:
limits: {}
requests: {}
volumeMounts:
- mountPath: /run/csi
name: socket-dir
- args:
- --feature-gates=Topology=true
- --default-fstype=ext4
image: registry.k8s.io/sig-storage/csi-provisioner:v5.2.0
imagePullPolicy: IfNotPresent
name: csi-provisioner
resources:
limits: {}
requests: {}
volumeMounts:
- mountPath: /run/csi
name: socket-dir
- image: registry.k8s.io/sig-storage/livenessprobe:v2.15.0
imagePullPolicy: IfNotPresent
name: liveness-probe
resources:
limits: {}
requests: {}
volumeMounts:
- mountPath: /run/csi
name: socket-dir
- command:
- /bin/hcloud-csi-driver-controller
env:
- name: CSI_ENDPOINT
value: unix:///run/csi/socket
- name: ENABLE_METRICS
value: "false"
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: HCLOUD_TOKEN
valueFrom:
secretKeyRef:
key: token
name: hcloud
image: docker.io/hetznercloud/hcloud-csi-driver:v2.12.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 3
name: hcloud-csi-driver
ports:
- containerPort: 9808
name: healthz
protocol: TCP
resources:
limits: {}
requests: {}
volumeMounts:
- mountPath: /run/csi
name: socket-dir
initContainers: null
securityContext:
fsGroup: 1001
serviceAccountName: hcloud-csi-controller
volumes:
- emptyDir: {}
name: socket-dir

9
rendered/envs/production/hcloud-csi/namespace-kube-system.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Namespace
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
pod-security.kubernetes.io/enforce: privileged
name: kube-system
namespace: kube-system

14
rendered/envs/production/hcloud-csi/serviceaccount-hcloud-csi-controller.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: hcloud-csi
helm.sh/chart: hcloud-csi-2.12.0
name: hcloud-csi-controller
namespace: kube-system

12
rendered/envs/production/hcloud-csi/storageclass-hcloud-volumes.yaml Normal file
View file

@ -0,0 +1,12 @@
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
storageclass.kubernetes.io/is-default-class: "true"
name: hcloud-volumes
namespace: kube-system
provisioner: csi.hetzner.cloud
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer