From 6cf1dce07d78610db2ee21cddeb09b95c75185c0 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Thu, 9 Feb 2023 01:39:36 +0100
Subject: [PATCH] feat(postgres): Add cluster-wide automatic backup for all
databases
This patch should provide an automated backup for all postgresql
clusters in the cluster. This implementation is less than ideal, due to
technical sharing of backups among all namespaces, but for now, it's
better than no backup. There will be further work on separating these
backups, but it is what it is for now.
---
clusters/k8s01/postgres/kustomization.yaml | 4 +
clusters/k8s01/postgres/release-override.yaml | 141 ++++++++++++++++++
infrastructure/postgres/release.yaml | 19 ++-
3 files changed, 161 insertions(+), 3 deletions(-)
create mode 100644 clusters/k8s01/postgres/kustomization.yaml
create mode 100644 clusters/k8s01/postgres/release-override.yaml
diff --git a/clusters/k8s01/postgres/kustomization.yaml b/clusters/k8s01/postgres/kustomization.yaml
new file mode 100644
index 000000000..5b4b6bcda
--- /dev/null
+++ b/clusters/k8s01/postgres/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- release-override.yaml
diff --git a/clusters/k8s01/postgres/release-override.yaml b/clusters/k8s01/postgres/release-override.yaml
new file mode 100644
index 000000000..aebec818f
--- /dev/null
+++ b/clusters/k8s01/postgres/release-override.yaml
@@ -0,0 +1,141 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: postgres-pod-secrets
+ namespace: postgres-system
+stringData:
+ WAL_S3_BUCKET: ENC[AES256_GCM,data:o1NAN2pZZJiLvWDIFB88nqgDCA==,iv:fy7rIGirmSsGBPBq7OQSvTP6xXk8yS581YXlcTRLSJc=,tag:h2s3KINtNYX5EjU4eEmZDg==,type:str]
+ WAL_BUCKET_SCOPE_PREFIX: ""
+ WAL_BUCKET_SCOPE_SUFFIX: ""
+ USE_WALG_BACKUP: ENC[AES256_GCM,data:PyNMfA==,iv:BnrwkRcRpkj531kvY9N7oICW/TR5P6LvMhLnvjFppe4=,tag:CWKkLMMhoadY1O0uT0J0bA==,type:str]
+ USE_WALG_RESTORE: ENC[AES256_GCM,data:VeuAVw==,iv:j/LU6x8KJ6FjO+t+Kt+fT7rLz/n2kZpmfMT05WCeDfI=,tag:3EdagLildyD0084PAYM5Fw==,type:str]
+ BACKUP_SCHEDULE: ENC[AES256_GCM,data:UzMpPBMdALoW9go=,iv:qJA3R9Da3KIhKk1PEH93+44jQOuKVzg1IpujZrTJLFM=,tag:U6hw1YDRM5OvRZEA2tqECQ==,type:str]
+ AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:AOXUF+nyBwOrTgRzuM3oKuGloA==,iv:Lwd8A7jQM/TdTNYgku5mQoe6zmU2Tjvo5TnkR302jnU=,tag:SB3c40iyzq2nhnqEV+0nvg==,type:str]
+ AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:j4XDQPiUyiEEAjjRgCQavAdzVlLsXi3YcIJ/vaPtZD75zqzu0OtD1g==,iv:ktOmQOSSb9yYcQRzrPl7D52N2j+fGUOOnAHHi1H/Tf8=,tag:NHSuLFdnWSxbOcdT+6D54g==,type:str]
+ AWS_S3_FORCE_PATH_STYLE: ENC[AES256_GCM,data:xa9kOA==,iv:Nk9rihseIhCPyIK5kj/bjTcVqBLvv9sLpZim4LjFPA0=,tag:aEFgtjnJ1VhnYod5pKO6Tw==,type:str]
+ AWS_ENDPOINT: ENC[AES256_GCM,data:Vbob6Ya/XeG+dt/hPSJUxMhwCgf1q+F1NKC4KASIDEI=,iv:iXpcbMX6A2kFq5ENSsZfE26nweqFcevgokctTaUh8lo=,tag:QEnoqWU8Z8c/e0ACGQ1ygw==,type:str]
+ AWS_REGION: ENC[AES256_GCM,data:vPgLt82m+iXvvoQ=,iv:7ubMxH1Cs7gAoMI5y8VuE33Xk1mHBq978dEMWp7DGpw=,tag:Y2ReeS9gq7WRzm2Z+jwjwA==,type:str]
+ WALG_DISABLE_S3_SSE: ENC[AES256_GCM,data:8IJzgQ==,iv:Eg3rnD67NkIMBVECg0vIRwCEfaZb/tnTkpQyEtnXyug=,tag:cxb0EXHJ4seXxgB0qTOjLQ==,type:str]
+ BACKUP_NUM_TO_RETAIN: ENC[AES256_GCM,data:hw==,iv:7b9Jr+w0Z4PFzD3RP0I6m71KsMS4t+HWxq1gMhYdobs=,tag:UvZ469j8MMqFom13Ghfmfw==,type:str]
+ CLONE_USE_WALG_RESTORE: ENC[AES256_GCM,data:mB3A5A==,iv:WyLeYBR1VlrFsSdyMSa2vmtQa7FyH+1HpGy2LHaCPSc=,tag:e7gn82aQtsmVmJLbcbJiEA==,type:str]
+ CLONE_AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:dexZESvwalmC8tHvQe0qyJoZBg==,iv:NXv5yGtK2/kzT+FYJ2wGsAJb8AyAJIUJmD0hyfmPYF4=,tag:YL3KIybviHdQ9nmN2g9wbw==,type:str]
+ CLONE_AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:lrkKwuQqo/zxLl/ju2vsj0FDadcK2CJqErAtOKpGIqetzXLKVYVM2A==,iv:qsaGFQFycXrPuqahyOUseuUQgDro22PpCgVH+tCjuYQ=,tag:CRwozvXl798tOz0Ds8kqeQ==,type:str]
+ CLONE_AWS_ENDPOINT: ENC[AES256_GCM,data:rGuVCT/I+hRfbqZKgfZSKJAh0eX04qfNYxB27xN2EIA=,iv:YzNGZwVvsMPrfgJd5UHLzsaPj6l4ds7TOXDIQEreZe4=,tag:FWnT992L2vOvgWjYJdC4kg==,type:str]
+ CLONE_AWS_REGION: ENC[AES256_GCM,data:Zr7YU1sAbuP4TjY=,iv:x7rGSePSxYLMCUZF2xW/h6N4GVXQhsGKY2HjMGgTUwQ=,tag:7Sv8FpKDbFhVIkOJ89Z84w==,type:str]
+ CLONE_METHOD: ENC[AES256_GCM,data:kRs92XaJ4K+wtEt19GTM,iv:y1FHLks5v4o5+aMs+c9v4sVnzCcSNIw/IKJxL8nvzPw=,tag:4Z1zl+aLIgKJQ9WjKsvWDw==,type:str]
+ CLONE_WAL_BUCKET_SCOPE_PREFIX: ""
+ CLONE_WAL_S3_BUCKET: ENC[AES256_GCM,data:DBU+K5HJon9LdP/ACIO5zXH95Q==,iv:+O9ViNU4Wggb+g0WaLzbNiEDQFhebcvXTwUW61qHtT8=,tag:CvkGGc8py6wIaUrJGFUyDA==,type:str]
+ CLONE_AWS_S3_FORCE_PATH_STYLE: ENC[AES256_GCM,data:JFJT1g==,iv:WL0/GJhVI73EP95tYXqSXxszaHK11eMKQicPzLcImwQ=,tag:0YWoYW3aNv/hG1jQ0qiDmw==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2023-02-09T00:27:42Z"
+ mac: ENC[AES256_GCM,data:pxzkVfeszdWLHtQoo9noq2FJkgt3hBc/UvAnAoVr1NPFW0nNjEZUNmmiAT+7o6xcivdDeiz9sm9XicgqIrUWOAB7VeKdy1kLQym5B98qapAv4sg3Cm9LVMj4vlTeuk/0PiDqDiABLsmivnoUgrq4NaXub4KgUuGn16K8FWAnbd0=,iv:woypK9DsJcOh1BYtd+ic5Saz7TfXQkHBfn5jS8GqF0M=,tag:3QjT8UUE3rVAtZN+a6A7eQ==,type:str]
+ pgp:
+ - created_at: "2023-02-09T00:27:41Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ wcFMA7kpg2bgzVHcAQ/+OSnICTyuWPM5cuutkJjMUSXjGhsSjc/ty2BEOTb5DjfZ
+ EFKrIQCKGFvxOUEKTwxSUqhN0oCrMMXWnqwMjOONoAjLloezs2E5wy8E0j/v+j6g
+ kAWIfYsoHKmqoeldLspG7bnnr42bY9n+BvLNSBsoGRo9gNOiQqFT2mv8S8Lg49Is
+ omb1/TLSRUq90U5Zwoc9tHbZnP4+85nvzwi092zfDLD5VK4SgbK8qIaiQUeuELto
+ 2z/OKSAB77AAxOzh7U5YjtjyJBiBxQ7w3tnjXR08D3NUHu3THu+jevjTPRsxgqWl
+ cTlkdnl9iw8eQDS8yycjfcuQoY5oxK8KqQRMYurSEra2h0f7ccRPaCndbEKkUEWL
+ 4I0EsVEeAgQOm9iTNrEpIyVcoio2HrUFqqtipeKnei5hVdGvKcjc/q3Jz2DAgxrB
+ 48RzGXGXCPc9xpbatw7o9qFsu64n/6Un+/A3lvxeZp3d+wUY/WiYZyBVZ6bC7J/P
+ Wjm7IaVhGlhzYbep27LGJxIFmbMKuWx5cPMIi+4lteoWgEeVOQy6hHQIEtWWy9VY
+ R44blwSyANtTml8PRBGByjZBfrFKf6bbt6Xri/Gu0qJM/O1G8ZPtcDaIzcvbWqGg
+ Tz5D6dq/1AIiCx9Yatwd7ty2ZJdUhaFYSIn2NAFNqGXxGzvCywujdPvejbl8cQjS
+ UQEZL4BqHYUw20c0GnLtEiHVXxO2f1oPJVcooz76kMtXnfEpVCrzrhwYLdx9vTnd
+ 6rb12yU6x5q4kjMfm+m4wdjxdRHznM48rUC1E0vbO7Hc/Q==
+ =IfCm
+ -----END PGP MESSAGE-----
+ fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+ - created_at: "2023-02-09T00:27:41Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4oYbIHZIrAPARAAlX+ciacOvXP5l2XVeXjKO1hWKnr7YLETntVdqRFf28SE
+ 0P7uHujIeWbubJYimjJ5MOGA6CCE6q5KUmuCs1zFJv5Ot7pnx3z5uo3a0tq56QFU
+ Mn90r4QywVzYYRdiLqbSFhXWB9NRKdvER3NKaRmTNGubecd+rioVrkUF80UQ04o8
+ oXqv2zbT2lx/VcwNsQBJn4vI56kKR1OdKrTH6rZ4y87/MzR24JBn+y6ou6ZmslsT
+ c7jliyfCJcJvlIuwAgaY0gk7OF69l5+uDuE9mh3CkR9f7dEeA0GfGF/ULV7Y5PcO
+ 90NrgAYDiNYPHQRYXu/v5VYEjz7vcSYL1Y6CvqEJlJNKmzxevKk6T3GCqmOI1lKU
+ Eql+R2LW9lif0yKYedhD2xyjD55nWeOAnXk9OVRruL+ocdDk8IOsL9PbwDIi/RKD
+ f7B1C9+34qPlMjTvxuOg8o9PnNHmFgzAXX4JQqnHcvH+mxDK+DmeQgFy5EzoSD62
+ fR8SaeZL+08r3i4WqupuwrybD4woTVw+8fCzXgXOECstFyQFmXUiIHkeXemIrEcF
+ rd9jfyfvuKvcZp10DghpUzwXV5SP6q5h2K39iC+dZjPmhfZX9w2TfyYeej3mqICj
+ TD5ZOkq0XCOqTLHWTW+ONTkmpSMW2/bdr+k4vjjLHqcEpRBuNQX1xGFRR+Zl//XU
+ aAEJAhDOPr+VRM+7QxAcfbOyG6qF6uX61emfvsmCeI/Frp8ZIN29/EuX3TZQ6ukj
+ HHO9t5XAoIquJQK6I35ffozOp1acmyYMbXZK0xmzjLPJagutcRtDP37k+5DWebhP
+ DfwF09j4hAyb
+ =mlgh
+ -----END PGP MESSAGE-----
+ fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName)$
+ version: 3.7.3
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: postgres-override-values
+ namespace: postgres-system
+type: Opaque
+stringData:
+ values-overrides.yaml: ENC[AES256_GCM,data:5ykJ1trxTuzKaVFEm/VbRibMdw/GhokGcFwgTlaqOR1zcg4hOnKQMA6cYBBgPGRhw7ub3aS2MgHBS7w+LyS6cw==,iv:2DXF4wm0A99Vry0xkeIfhE904+Zo6h+RgHkHP3QxS3s=,tag:ei5fl8tTr19WEstaalK3CQ==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2023-02-09T00:27:42Z"
+ mac: ENC[AES256_GCM,data:pxzkVfeszdWLHtQoo9noq2FJkgt3hBc/UvAnAoVr1NPFW0nNjEZUNmmiAT+7o6xcivdDeiz9sm9XicgqIrUWOAB7VeKdy1kLQym5B98qapAv4sg3Cm9LVMj4vlTeuk/0PiDqDiABLsmivnoUgrq4NaXub4KgUuGn16K8FWAnbd0=,iv:woypK9DsJcOh1BYtd+ic5Saz7TfXQkHBfn5jS8GqF0M=,tag:3QjT8UUE3rVAtZN+a6A7eQ==,type:str]
+ pgp:
+ - created_at: "2023-02-09T00:27:41Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ wcFMA7kpg2bgzVHcAQ/+OSnICTyuWPM5cuutkJjMUSXjGhsSjc/ty2BEOTb5DjfZ
+ EFKrIQCKGFvxOUEKTwxSUqhN0oCrMMXWnqwMjOONoAjLloezs2E5wy8E0j/v+j6g
+ kAWIfYsoHKmqoeldLspG7bnnr42bY9n+BvLNSBsoGRo9gNOiQqFT2mv8S8Lg49Is
+ omb1/TLSRUq90U5Zwoc9tHbZnP4+85nvzwi092zfDLD5VK4SgbK8qIaiQUeuELto
+ 2z/OKSAB77AAxOzh7U5YjtjyJBiBxQ7w3tnjXR08D3NUHu3THu+jevjTPRsxgqWl
+ cTlkdnl9iw8eQDS8yycjfcuQoY5oxK8KqQRMYurSEra2h0f7ccRPaCndbEKkUEWL
+ 4I0EsVEeAgQOm9iTNrEpIyVcoio2HrUFqqtipeKnei5hVdGvKcjc/q3Jz2DAgxrB
+ 48RzGXGXCPc9xpbatw7o9qFsu64n/6Un+/A3lvxeZp3d+wUY/WiYZyBVZ6bC7J/P
+ Wjm7IaVhGlhzYbep27LGJxIFmbMKuWx5cPMIi+4lteoWgEeVOQy6hHQIEtWWy9VY
+ R44blwSyANtTml8PRBGByjZBfrFKf6bbt6Xri/Gu0qJM/O1G8ZPtcDaIzcvbWqGg
+ Tz5D6dq/1AIiCx9Yatwd7ty2ZJdUhaFYSIn2NAFNqGXxGzvCywujdPvejbl8cQjS
+ UQEZL4BqHYUw20c0GnLtEiHVXxO2f1oPJVcooz76kMtXnfEpVCrzrhwYLdx9vTnd
+ 6rb12yU6x5q4kjMfm+m4wdjxdRHznM48rUC1E0vbO7Hc/Q==
+ =IfCm
+ -----END PGP MESSAGE-----
+ fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+ - created_at: "2023-02-09T00:27:41Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4oYbIHZIrAPARAAlX+ciacOvXP5l2XVeXjKO1hWKnr7YLETntVdqRFf28SE
+ 0P7uHujIeWbubJYimjJ5MOGA6CCE6q5KUmuCs1zFJv5Ot7pnx3z5uo3a0tq56QFU
+ Mn90r4QywVzYYRdiLqbSFhXWB9NRKdvER3NKaRmTNGubecd+rioVrkUF80UQ04o8
+ oXqv2zbT2lx/VcwNsQBJn4vI56kKR1OdKrTH6rZ4y87/MzR24JBn+y6ou6ZmslsT
+ c7jliyfCJcJvlIuwAgaY0gk7OF69l5+uDuE9mh3CkR9f7dEeA0GfGF/ULV7Y5PcO
+ 90NrgAYDiNYPHQRYXu/v5VYEjz7vcSYL1Y6CvqEJlJNKmzxevKk6T3GCqmOI1lKU
+ Eql+R2LW9lif0yKYedhD2xyjD55nWeOAnXk9OVRruL+ocdDk8IOsL9PbwDIi/RKD
+ f7B1C9+34qPlMjTvxuOg8o9PnNHmFgzAXX4JQqnHcvH+mxDK+DmeQgFy5EzoSD62
+ fR8SaeZL+08r3i4WqupuwrybD4woTVw+8fCzXgXOECstFyQFmXUiIHkeXemIrEcF
+ rd9jfyfvuKvcZp10DghpUzwXV5SP6q5h2K39iC+dZjPmhfZX9w2TfyYeej3mqICj
+ TD5ZOkq0XCOqTLHWTW+ONTkmpSMW2/bdr+k4vjjLHqcEpRBuNQX1xGFRR+Zl//XU
+ aAEJAhDOPr+VRM+7QxAcfbOyG6qF6uX61emfvsmCeI/Frp8ZIN29/EuX3TZQ6ukj
+ HHO9t5XAoIquJQK6I35ffozOp1acmyYMbXZK0xmzjLPJagutcRtDP37k+5DWebhP
+ DfwF09j4hAyb
+ =mlgh
+ -----END PGP MESSAGE-----
+ fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName)$
+ version: 3.7.3
diff --git a/infrastructure/postgres/release.yaml b/infrastructure/postgres/release.yaml
index ad0c26f2b..a4968a965 100644
--- a/infrastructure/postgres/release.yaml
+++ b/infrastructure/postgres/release.yaml
@@ -12,15 +12,28 @@ spec:
kind: HelmRepository
name: zalando-postgres-operator
namespace: postgres-system
- valuesFiles:
- - values.yaml
version: 1.9.0
interval: 5m
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
- values:
+ valuesFrom:
+ - kind: ConfigMap
+ name: postgres-base-values
+ valuesKey: values.yaml
+ - kind: Secret
+ name: postgres-override-values
+ valuesKey: values-overrides.yaml
+ optional: true
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: postgres-base-values
+ namespace: postgres-system
+data:
+ values.yaml: |
rbac:
createAggregateClusterRoles: true
configPostgresPodResources:
--
GitLab