diff --git a/cluster/postgresql/helmrelease-postgresql.yaml b/cluster/postgresql/helmrelease-postgresql.yaml index 4bfd0b0..6e83ac6 100644 --- a/cluster/postgresql/helmrelease-postgresql.yaml +++ b/cluster/postgresql/helmrelease-postgresql.yaml @@ -44,16 +44,16 @@ spec: ## @param global.postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. ## @param global.postgresql.auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. ## - auth: - #postgresPassword: "" - username: "clortox" - #password: "" - database: "" - existingSecret: "postgresql-default-credentials" - secretKeys: - adminPasswordKey: "postgres-password" - userPasswordKey: "password" - replicationPasswordKey: "" + #auth: + # #postgresPassword: "" + # username: "clortox" + # #password: "" + # database: "" + # existingSecret: "postgresql-default-credentials" + # secretKeys: + # adminPasswordKey: "postgres-password" + # userPasswordKey: "password" + # replicationPasswordKey: "" ## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) ## service: @@ -147,7 +147,7 @@ spec: postgresPassword: "" ## @param auth.username Name for a custom user to create ## - username: "" + username: "clortox" ## @param auth.password Password for the custom user to create. Ignored if `auth.existingSecret` is provided ## password: "" @@ -162,7 +162,7 @@ spec: replicationPassword: "" ## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. ## - existingSecret: "" + existingSecret: "postgresql-default-credentials" ## @param auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. ## @param auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. ## @param auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. @@ -170,7 +170,7 @@ spec: secretKeys: adminPasswordKey: postgres-password userPasswordKey: password - replicationPasswordKey: replication-password + #replicationPasswordKey: replication-password ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable ## usePasswordFiles: false @@ -729,894 +729,3 @@ spec: ## whenDeleted: Retain - ## @section PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) - ## - readReplicas: - ## @param readReplicas.name Name of the read replicas database (eg secondary, slave, ...) - ## - name: read - ## @param readReplicas.replicaCount Number of PostgreSQL read only replicas - ## - replicaCount: 1 - ## @param readReplicas.extendedConfiguration Extended PostgreSQL read only replicas configuration (appended to main or default configuration) - ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf - ## - extendedConfiguration: "" - ## @param readReplicas.extraEnvVars Array with extra environment variables to add to PostgreSQL read only nodes - ## e.g: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param readReplicas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes - ## - extraEnvVarsCM: "" - ## @param readReplicas.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL read only nodes - ## - extraEnvVarsSecret: "" - ## @param readReplicas.command Override default container command (useful when using custom images) - ## - command: [] - ## @param readReplicas.args Override default container args (useful when using custom images) - ## - args: [] - ## Configure extra options for PostgreSQL read only containers' liveness, readiness and startup probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes - ## @param readReplicas.livenessProbe.enabled Enable livenessProbe on PostgreSQL read only containers - ## @param readReplicas.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param readReplicas.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param readReplicas.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param readReplicas.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param readReplicas.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param readReplicas.readinessProbe.enabled Enable readinessProbe on PostgreSQL read only containers - ## @param readReplicas.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param readReplicas.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param readReplicas.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param readReplicas.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param readReplicas.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param readReplicas.startupProbe.enabled Enable startupProbe on PostgreSQL read only containers - ## @param readReplicas.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param readReplicas.startupProbe.periodSeconds Period seconds for startupProbe - ## @param readReplicas.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param readReplicas.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param readReplicas.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 15 - successThreshold: 1 - ## @param readReplicas.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param readReplicas.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## @param readReplicas.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param readReplicas.lifecycleHooks for the PostgreSQL read only container to automate configuration before or after startup - ## - lifecycleHooks: {} - ## PostgreSQL read only resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers - ## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers - ## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers - ## - resources: - limits: {} - requests: - memory: 256Mi - cpu: 250m - ## Pod Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param readReplicas.podSecurityContext.enabled Enable security context - ## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod - ## - podSecurityContext: - enabled: true - fsGroup: 1001 - ## Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param readReplicas.containerSecurityContext.enabled Enable container security context - ## @param readReplicas.containerSecurityContext.runAsUser User ID for the container - ## @param readReplicas.containerSecurityContext.runAsGroup Group ID for the container - ## @param readReplicas.containerSecurityContext.runAsNonRoot Set runAsNonRoot for the container - ## @param readReplicas.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation for the container - ## @param readReplicas.containerSecurityContext.seccompProfile.type Set seccompProfile.type for the container - ## @param readReplicas.containerSecurityContext.capabilities.drop Set capabilities.drop for the container - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsGroup: 0 - runAsNonRoot: true - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - ## @param readReplicas.hostAliases PostgreSQL read only pods host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param readReplicas.hostNetwork Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) - ## - hostNetwork: false - ## @param readReplicas.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) - ## - hostIPC: false - ## @param readReplicas.labels Map of labels to add to the statefulset (PostgreSQL read only) - ## - labels: {} - ## @param readReplicas.annotations Annotations for PostgreSQL read only pods - ## - annotations: {} - ## @param readReplicas.podLabels Map of labels to add to the pods (PostgreSQL read only) - ## - podLabels: {} - ## @param readReplicas.podAnnotations Map of annotations to add to the pods (PostgreSQL read only) - ## - podAnnotations: {} - ## @param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## PostgreSQL read only node affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## @param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param readReplicas.affinity Affinity for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods - ## - topologySpreadConstraints: [] - ## @param readReplicas.priorityClassName Priority Class to use for each pod (PostgreSQL read only) - ## - priorityClassName: "" - ## @param readReplicas.schedulerName Use an alternate scheduler, e.g. "stork". - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param readReplicas.terminationGracePeriodSeconds Seconds PostgreSQL read only pod needs to terminate gracefully - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods - ## - terminationGracePeriodSeconds: "" - ## @param readReplicas.updateStrategy.type PostgreSQL read only statefulset strategy type - ## @param readReplicas.updateStrategy.rollingUpdate PostgreSQL read only statefulset rolling update configuration parameters - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## - updateStrategy: - type: RollingUpdate - rollingUpdate: {} - ## @param readReplicas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) - ## - extraVolumeMounts: [] - ## @param readReplicas.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) - ## - extraVolumes: [] - ## @param readReplicas.sidecars Add additional sidecar containers to the PostgreSQL read only pod(s) - ## For example: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - ## @param readReplicas.initContainers Add additional init containers to the PostgreSQL read only pod(s) - ## Example - ## - ## initContainers: - ## - name: do-something - ## image: busybox - ## command: ['do', 'something'] - ## - initContainers: [] - ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s) - ## - extraPodSpec: {} - ## PostgreSQL read only service configuration - ## - service: - ## @param readReplicas.service.type Kubernetes Service type - ## - type: ClusterIP - ## @param readReplicas.service.ports.postgresql PostgreSQL service port - ## - ports: - postgresql: 5432 - ## Node ports to expose - ## NOTE: choose port between <30000-32767> - ## @param readReplicas.service.nodePorts.postgresql Node port for PostgreSQL - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePorts: - postgresql: "" - ## @param readReplicas.service.clusterIP Static clusterIP or None for headless services - ## e.g: - ## clusterIP: None - ## - clusterIP: "" - ## @param readReplicas.service.annotations Annotations for PostgreSQL read only service - ## - annotations: {} - ## @param readReplicas.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` - ## Set the LoadBalancer service type to internal only - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param readReplicas.service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param readReplicas.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param readReplicas.service.extraPorts Extra ports to expose in the PostgreSQL read only service - ## - extraPorts: [] - ## @param readReplicas.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" - ## If "ClientIP", consecutive client requests will be directed to the same Pod - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## - sessionAffinity: None - ## @param readReplicas.service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - ## - sessionAffinityConfig: {} - ## Headless service properties - ## - headless: - ## @param readReplicas.service.headless.annotations Additional custom annotations for headless PostgreSQL read only service - ## - annotations: {} - ## PostgreSQL read only persistence configuration - ## - persistence: - ## @param readReplicas.persistence.enabled Enable PostgreSQL read only data persistence using PVC - ## - enabled: true - ## @param readReplicas.persistence.existingClaim Name of an existing PVC to use - ## - existingClaim: "" - ## @param readReplicas.persistence.mountPath The path the volume will be mounted at - ## Note: useful when using custom PostgreSQL images - ## - mountPath: /bitnami/postgresql - ## @param readReplicas.persistence.subPath The subdirectory of the volume to mount to - ## Useful in dev environments and one PV for multiple services - ## - subPath: "" - ## @param readReplicas.persistence.storageClass PVC Storage Class for PostgreSQL read only data volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - storageClass: "" - ## @param readReplicas.persistence.accessModes PVC Access Mode for PostgreSQL volume - ## - accessModes: - - ReadWriteOnce - ## @param readReplicas.persistence.size PVC Storage Request for PostgreSQL volume - ## - size: 8Gi - ## @param readReplicas.persistence.annotations Annotations for the PVC - ## - annotations: {} - ## @param readReplicas.persistence.labels Labels for the PVC - ## - labels: {} - ## @param readReplicas.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} - ## @param readReplicas.persistence.dataSource Custom PVC data source - ## - dataSource: {} - ## PostgreSQL Read only Persistent Volume Claim Retention Policy - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention - ## - persistentVolumeClaimRetentionPolicy: - ## @param readReplicas.persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for read only Statefulset - ## - enabled: false - ## @param readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced - ## - whenScaled: Retain - ## @param readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted - ## - whenDeleted: Retain - - - ## @section Backup parameters - ## This section implements a trivial logical dump cronjob of the database. - ## This only comes with the consistency guarantees of the dump program. - ## This is not a snapshot based roll forward/backward recovery backup. - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ - backup: - ## @param backup.enabled Enable the logical dump of the database "regularly" - enabled: false - cronjob: - ## @param backup.cronjob.schedule Set the cronjob parameter schedule - schedule: "@daily" - ## @param backup.cronjob.timeZone Set the cronjob parameter timeZone - timeZone: "" - ## @param backup.cronjob.concurrencyPolicy Set the cronjob parameter concurrencyPolicy - concurrencyPolicy: Allow - ## @param backup.cronjob.failedJobsHistoryLimit Set the cronjob parameter failedJobsHistoryLimit - failedJobsHistoryLimit: 1 - ## @param backup.cronjob.successfulJobsHistoryLimit Set the cronjob parameter successfulJobsHistoryLimit - successfulJobsHistoryLimit: 3 - ## @param backup.cronjob.startingDeadlineSeconds Set the cronjob parameter startingDeadlineSeconds - startingDeadlineSeconds: "" - ## @param backup.cronjob.ttlSecondsAfterFinished Set the cronjob parameter ttlSecondsAfterFinished - ttlSecondsAfterFinished: "" - ## @param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy - restartPolicy: OnFailure - ## @param backup.cronjob.podSecurityContext.enabled Enable PodSecurityContext for CronJob/Backup - ## @param backup.cronjob.podSecurityContext.fsGroup Group ID for the CronJob - podSecurityContext: - enabled: true - fsGroup: 1001 - ## backup container's Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param backup.cronjob.containerSecurityContext.enabled Enable container security context - ## @param backup.cronjob.containerSecurityContext.runAsUser User ID for the backup container - ## @param backup.cronjob.containerSecurityContext.runAsGroup Group ID for the backup container - ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set backup container's Security Context runAsNonRoot - ## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Is the container itself readonly - ## @param backup.cronjob.containerSecurityContext.allowPrivilegeEscalation Is it possible to escalate backup pod(s) privileges - ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set backup container's Security Context seccompProfile type - ## @param backup.cronjob.containerSecurityContext.capabilities.drop Set backup container's Security Context capabilities to drop - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsGroup: 0 - runAsNonRoot: true - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - ## @param backup.cronjob.command Set backup container's command to run - command: - - /bin/sh - - -c - - "pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump" - - ## @param backup.cronjob.labels Set the cronjob labels - labels: {} - ## @param backup.cronjob.annotations Set the cronjob annotations - annotations: {} - ## @param backup.cronjob.nodeSelector Node labels for PostgreSQL backup CronJob pod assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - storage: - ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) - ## If defined, PVC must be created manually before volume will be bound - ## - existingClaim: "" - ## @param backup.cronjob.storage.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted - ## - resourcePolicy: "" - ## @param backup.cronjob.storage.storageClass PVC Storage Class for the backup data volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. - ## - storageClass: "" - ## @param backup.cronjob.storage.accessModes PV Access Mode - ## - accessModes: - - ReadWriteOnce - ## @param backup.cronjob.storage.size PVC Storage Request for the backup data volume - ## - size: 8Gi - ## @param backup.cronjob.storage.annotations PVC annotations - ## - annotations: {} - ## @param backup.cronjob.storage.mountPath Path to mount the volume at - ## - mountPath: /backup/pgdump - ## @param backup.cronjob.storage.subPath Subdirectory of the volume to mount at - ## and one PV for multiple services. - ## - subPath: "" - ## Fine tuning for volumeClaimTemplates - ## - volumeClaimTemplates: - ## @param backup.cronjob.storage.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) - ## A label query over volumes to consider for binding (e.g. when using local volumes) - ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details - ## - selector: {} - - ## @section NetworkPolicy parameters - ## - - ## Add networkpolicies - ## - networkPolicy: - ## @param networkPolicy.enabled Enable network policies - ## - enabled: false - ## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus) - ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. - ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. - ## - metrics: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: monitoring - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: monitoring - ## - podSelector: {} - ## Ingress Rules - ## - ingressRules: - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules Custom network policy for the PostgreSQL primary node. - ## - primaryAccessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## customRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: [] - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules Custom network policy for the PostgreSQL read-only nodes. - ## - readReplicasAccessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## CustomRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: [] - ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). - ## @param networkPolicy.egressRules.customRules Custom network policy rule - ## - egressRules: - # Deny connections to external. This is not compatible with an external database. - denyConnectionsToExternal: false - ## Additional custom egress rules - ## e.g: - ## customRules: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: [] - - ## @section Volume Permissions parameters - ## - - ## Init containers parameters: - ## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node - ## - volumePermissions: - ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume - ## - enabled: false - ## @param volumePermissions.image.registry Init container volume-permissions image registry - ## @param volumePermissions.image.repository Init container volume-permissions image repository - ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) - ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag - ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy - ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets - ## - image: - registry: docker.io - repository: bitnami/os-shell - tag: 11-debian-11-r77 - digest: "" - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Init container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param volumePermissions.resources.limits Init container volume-permissions resource limits - ## @param volumePermissions.resources.requests Init container volume-permissions resource requests - ## - resources: - limits: {} - requests: {} - ## Init container' Security Context - ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser - ## and not the below volumePermissions.containerSecurityContext.runAsUser - ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container - ## @param volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container - ## @param volumePermissions.containerSecurityContext.runAsNonRoot runAsNonRoot for the init container - ## @param volumePermissions.containerSecurityContext.seccompProfile.type seccompProfile.type for the init container - ## - containerSecurityContext: - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seccompProfile: - type: RuntimeDefault - ## @section Other Parameters - ## - - ## @param serviceBindings.enabled Create secret for service binding (Experimental) - ## Ref: https://servicebinding.io/service-provider/ - ## - serviceBindings: - enabled: false - - ## Service account for PostgreSQL to use. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ - ## - serviceAccount: - ## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod - ## - create: false - ## @param serviceAccount.name The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the common.names.fullname template - ## - name: "" - ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created - ## Can be set to false if pods using this serviceAccount do not need to use K8s API - ## - automountServiceAccountToken: true - ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount - ## - annotations: {} - ## Creates role for ServiceAccount - ## @param rbac.create Create Role and RoleBinding (required for PSP to work) - ## - rbac: - create: false - ## @param rbac.rules Custom RBAC rules to set - ## e.g: - ## rules: - ## - apiGroups: - ## - "" - ## resources: - ## - pods - ## verbs: - ## - get - ## - list - ## - rules: [] - ## Pod Security Policy - ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - ## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later - ## - psp: - create: false - - ## @section Metrics Parameters - ## - - metrics: - ## @param metrics.enabled Start a prometheus exporter - ## - enabled: false - ## @param metrics.image.registry PostgreSQL Prometheus Exporter image registry - ## @param metrics.image.repository PostgreSQL Prometheus Exporter image repository - ## @param metrics.image.tag PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) - ## @param metrics.image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag - ## @param metrics.image.pullPolicy PostgreSQL Prometheus Exporter image pull policy - ## @param metrics.image.pullSecrets Specify image pull secrets - ## - image: - registry: docker.io - repository: bitnami/postgres-exporter - tag: 0.14.0-debian-11-r5 - digest: "" - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## @param metrics.customMetrics Define additional custom metrics - ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file - ## customMetrics: - ## pg_database: - ## query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" - ## metrics: - ## - name: - ## usage: "LABEL" - ## description: "Name of the database" - ## - size_bytes: - ## usage: "GAUGE" - ## description: "Size of the database in bytes" - ## - customMetrics: {} - ## @param metrics.extraEnvVars Extra environment variables to add to PostgreSQL Prometheus exporter - ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables - ## For example: - ## extraEnvVars: - ## - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS - ## value: "true" - ## - extraEnvVars: [] - ## PostgreSQL Prometheus exporter containers' Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param metrics.containerSecurityContext.enabled Enable PostgreSQL Prometheus exporter containers' Security Context - ## @param metrics.containerSecurityContext.runAsUser Set PostgreSQL Prometheus exporter containers' Security Context runAsUser - ## @param metrics.containerSecurityContext.runAsGroup Set PostgreSQL Prometheus exporter containers' Security Context runAsGroup - ## @param metrics.containerSecurityContext.runAsNonRoot Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot - ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set PostgreSQL Prometheus exporter containers' Security Context allowPrivilegeEscalation - ## @param metrics.containerSecurityContext.seccompProfile.type Set PostgreSQL Prometheus exporter containers' Security Context seccompProfile.type - ## @param metrics.containerSecurityContext.capabilities.drop Set PostgreSQL Prometheus exporter containers' Security Context capabilities.drop - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsGroup: 0 - runAsNonRoot: true - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - ## Configure extra options for PostgreSQL Prometheus exporter containers' liveness, readiness and startup probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes - ## @param metrics.livenessProbe.enabled Enable livenessProbe on PostgreSQL Prometheus exporter containers - ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param metrics.readinessProbe.enabled Enable readinessProbe on PostgreSQL Prometheus exporter containers - ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param metrics.startupProbe.enabled Enable startupProbe on PostgreSQL Prometheus exporter containers - ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe - ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 15 - successThreshold: 1 - ## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## @param metrics.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param metrics.containerPorts.metrics PostgreSQL Prometheus exporter metrics container port - ## - containerPorts: - metrics: 9187 - ## PostgreSQL Prometheus exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container - ## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container - ## - resources: - limits: {} - requests: {} - ## Service configuration - ## - service: - ## @param metrics.service.ports.metrics PostgreSQL Prometheus Exporter service port - ## - ports: - metrics: 9187 - ## @param metrics.service.clusterIP Static clusterIP or None for headless services - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address - ## - clusterIP: "" - ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin - ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ - ## - sessionAffinity: None - ## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint - ## - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" - ## Prometheus Operator ServiceMonitor configuration - ## - serviceMonitor: - ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator - ## - enabled: false - ## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) - ## - namespace: "" - ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## - interval: "" - ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## - scrapeTimeout: "" - ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus - ## - labels: {} - ## @param metrics.serviceMonitor.selector Prometheus instance selector labels - ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration - ## - selector: {} - ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping - ## - relabelings: [] - ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion - ## - metricRelabelings: [] - ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint - ## - honorLabels: false - ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. - ## - jobLabel: "" - ## Custom PrometheusRule to be defined - ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart - ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions - ## - prometheusRule: - ## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator - ## - enabled: false - ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) - ## - namespace: "" - ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus - ## - labels: {} - ## @param metrics.prometheusRule.rules PrometheusRule definitions - ## Make sure to constraint the rules to the current postgresql service. - ## rules: - ## - alert: HugeReplicationLag - ## expr: pg_replication_lag{service="{{ printf "%s-metrics" (include "common.names.fullname" .) }}"} / 3600 > 1 - ## for: 1m - ## labels: - ## severity: critical - ## annotations: - ## description: replication for {{ include "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). - ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). - ## - rules: []