Compare revisions

Janne Mareike Koschinski · Janne Mareike Koschinski · fa8821ea · fa8821ea · fa8821ea · fa8821ea
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -16,8 +16,8 @@ include:
 - /mastodon/pipeline.yml
 - /oauth2-proxy/pipeline.yml
 - /powerdns/pipeline.yml
+- /postgresql/pipeline.yml
 - /quassel/pipeline.yml
 - /restic/pipeline.yml
 - /rtorrent/pipeline.yml
 - /seafile/pipeline.yml
- /wg-access-server/pipeline.yml
--- a/postgresql/Chart.yaml
+++ b/postgresql/Chart.yaml
+apiVersion: v2
+name: postgresql
+description: Helm Chart for postgresql
+type: application
+version: 1.0.0
+appVersion: "14.7-alpine"
--- a/wg-access-server/pipeline.yml
+++ b/wg-access-server/pipeline.yml
-lint-wg-access-server:
+lint-postgresql:
  stage: lint
  rules:
    - changes:
-        - wg-access-server/**/*
+        - postgresql/**/*
  script:
-    - helm lint wg-access-server
+    - helm lint postgresql

-release-wg-access-server:
+release-postgresql:
  stage: release
  needs:
-    - lint-wg-access-server
+    - lint-postgresql
  rules:
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
      changes:
-        - wg-access-server/**/*
+        - postgresql/**/*
  script:
    - apk add --no-cache git
    - helm plugin install https://github.com/chartmuseum/helm-push.git
    - helm repo add --username gitlab-ci-token --password $CI_JOB_TOKEN repo ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/stable
-    - helm cm-push wg-access-server repo
+    - helm cm-push postgresql repo
--- a/wg-access-server/templates/_helpers.tpl
+++ b/wg-access-server/templates/_helpers.tpl
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "wg-access-server-helm.name" -}}
+{{- define "postgresql-helm.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}

@@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "wg-access-server-helm.fullname" -}}
+{{- define "postgresql-helm.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "wg-access-server-helm.chart" -}}
+{{- define "postgresql-helm.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}

 {{/*
 Common labels
 */}}
-{{- define "wg-access-server-helm.labels" -}}
-helm.sh/chart: {{ include "wg-access-server-helm.chart" . }}
-{{ include "wg-access-server-helm.selectorLabels" . }}
+{{- define "postgresql-helm.labels" -}}
+helm.sh/chart: {{ include "postgresql-helm.chart" . }}
+{{ include "postgresql-helm.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -45,12 +45,12 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "wg-access-server-helm.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "wg-access-server-helm.name" . }}
+{{- define "postgresql-helm.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "postgresql-helm.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}


-{{- define "wg-access-server-helm.sslPath" -}}
+{{- define "postgresql-helm.sslPath" -}}
 /certs
 {{- end }}
--- a/postgresql/templates/configmap.yaml
+++ b/postgresql/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "postgresql-helm.fullname" . }}
+  labels:
+    {{- include "postgresql-helm.labels" . | nindent 4 }}
+data:
+  performance.conf: |-
+    # DB Version: 12
+    # OS Type: linux
+    # DB Type: mixed
+    # Total Memory (RAM): 16 GB
+    # CPUs num: 8
+    # Connections num: 64
+    # Data Storage: ssd
+
+    max_connections = 128
+    shared_buffers = 4GB
+    effective_cache_size = 12GB
+    maintenance_work_mem = 1GB
+    checkpoint_completion_target = 0.9
+    wal_buffers = 16MB
+    default_statistics_target = 100
+    random_page_cost = 1.1
+    effective_io_concurrency = 200
+    work_mem = 8MB
+    min_wal_size = 1GB
+    max_wal_size = 4GB
+    max_worker_processes = 8
+    max_parallel_workers_per_gather = 4
+    max_parallel_workers = 8
+    max_parallel_maintenance_workers = 4
+  {{ if .Values.tls.enabled -}}
+  ssl.conf: |-
+    ssl = true
+    ssl_ciphers = 'AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH!aNULL'
+    ssl_ecdh_curve = 'secp384r1'
+    ssl_cert_file = '/certs/{{ .Values.tls.certFilename }}'
+    ssl_key_file = '/certs/{{ .Values.tls.certKeyFilename }}'
+  {{- end }}
+  stat.conf: |-
+    shared_preload_libraries = 'pg_stat_statements'
+    pg_stat_statements.track = all
--- a/postgresql/templates/secret.yaml
+++ b/postgresql/templates/secret.yaml
+{{- $fullname := include "postgresql-helm.fullname" . -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $fullname }}
+  annotations:
+    "helm.sh/resource-policy": "keep"
+  labels:
+    {{- include "postgresql-helm.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{ if empty .Values.postgresqlPassword }}
+  # retrieve the secret data using lookup function and when not exists, return an empty dictionary / map as result
+  {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $fullname) | default dict }}
+  {{- $secretData := (get $secretObj "data") | default dict }}
+  # set $secret to existing secret data or generate a random one when not exists
+  {{- $secretValue := (get $secretData $fullname) | default (randAlphaNum 48 | b64enc) }}
+  postgresql-password: {{ $secretValue | quote }}
+  {{ else }}
+  postgresql-password: "{{ .Values.postgresqlPassword }}"
+  {{ end }}
\ No newline at end of file
--- a/postgresql/templates/service.yaml
+++ b/postgresql/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "postgresql-helm.fullname" . }}
+  labels:
+    {{- include "postgresql-helm.labels" . | nindent 4 }}
+spec:
+  type: "ClusterIP"
+  ports:
+    - port: 5432
+      targetPort: sql
+      protocol: TCP
+      name: sql
+  selector:
+    {{- include "postgresql-helm.selectorLabels" . | nindent 4 }}
--- a/wg-access-server/templates/deployment.yaml
+++ b/wg-access-server/templates/deployment.yaml
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
-  name: {{ include "wg-access-server-helm.fullname" . }}
+  name: {{ include "postgresql-helm.fullname" . }}
  labels:
-    {{- include "wg-access-server-helm.labels" . | nindent 4 }}
+    {{- include "postgresql-helm.labels" . | nindent 4 }}
 spec:
  replicas: {{ .Values.replicaCount }}
+  serviceName: {{ include "postgresql-helm.fullname" . }}
  selector:
    matchLabels:
-      {{- include "wg-access-server-helm.selectorLabels" . | nindent 6 }}
+      {{- include "postgresql-helm.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      {{- with .Values.podAnnotations }}
@@ -16,7 +17,7 @@ spec:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
-        {{- include "wg-access-server-helm.selectorLabels" . | nindent 8 }}
+        {{- include "postgresql-helm.selectorLabels" . | nindent 8 }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
@@ -25,53 +26,67 @@ spec:
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      volumes:
-        - name: tun
-          hostPath:
-            type: 'CharDevice'
-            path: /dev/net/tun
+        {{ if .Values.tls.enabled -}}
+        - name: certs
+          secret:
+            secretName: {{ .Values.tls.certificatesSecret }}
+        {{- end }}
+        - configMap:
+            defaultMode: 420
+            name: {{ include "postgresql-helm.fullname" . }}
+          name: config
        - name: data
          {{- .Values.volume | nindent 10 }}
-        - name: config
-          configMap:
-            name: {{ include "wg-access-server-helm.fullname" . }}
+        - emptyDir:
+            medium: Memory
+          name: shm
      containers:
-        - name: {{ .Chart.Name }}
+        - name: postgresql
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          envFrom:
-            - secretRef:
-                name: {{ include "wg-access-server-helm.fullname" . }}
+          env:
+            - name: postgresql_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: "postgresql-password"
+                  name: {{ include "postgresql-helm.fullname" . }}
          ports:
-            - name: http
-              containerPort: 8000
+            - name: sql
+              containerPort: 5432
              protocol: TCP
-            - name: wireguard
-              containerPort: 51820
-              protocol: UDP
          startupProbe:
-            httpGet:
-              path: /
-              port: http
+            exec:
+              command:
+                - sh
+                - -c
+                - exec pg_isready --host localhost
          livenessProbe:
-            httpGet:
-              path: /
-              port: http
+            exec:
+              command:
+                - sh
+                - -c
+                - exec pg_isready --host localhost
          readinessProbe:
-            httpGet:
-              path: /
-              port: http
+            exec:
+              command:
+                - sh
+                - -c
+                - exec pg_isready --host localhost
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          volumeMounts:
-            - name: tun
-              mountPath: /dev/net/tun
-            - mountPath: "/config.yaml"
-              name: config
-              subPath: "config.yaml"
-            - mountPath: "/data"
+            - mountPath: "/var/lib/postgresqlql/data"
              name: data
+            - mountPath: "/configs"
+              name: config
+            - mountPath: "/dev/shm"
+              name: shm
+            {{ if .Values.tls.enabled -}}
+            - mountPath: "/certs"
+              name: certs
+            {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}

--- a/wg-access-server/values.yaml
+++ b/wg-access-server/values.yaml
 replicaCount: 1

 image:
-  repository: place1/wg-access-server
+  repository: postgresql
  pullPolicy: IfNotPresent
  tag: ""

@@ -9,38 +9,40 @@ imagePullSecrets: [ ]
 nameOverride: ""
 fullnameOverride: ""

-config:
-  adminUsername: ""
-  adminPassword: ""
-  privateKey: ""
-  overrides: {}
-
 volume: |-
  emptyDir: {}

-service:
-  type: ClusterIP
-
-ingress:
-  host: "example.com"
-  path: "/"
-  annotations: { }
-
-podAnnotations: { }
+# if left empty, one will be auto-generated
+postgresqlPassword: ""

-podSecurityContext: { }
+tls:
+  enabled: false
+  certificatesSecret: ""
+  certFilename: "tls.crt"
+  certKeyFilename: "tls.key"

 securityContext:
  capabilities:
-    add: [ 'NET_ADMIN' ]
-
-resources:
-  limits:
-    cpu: 500m
-    memory: 512Mi
-  requests:
-    cpu: 10m
-    memory: 64Mi
+    drop:
+      - ALL
+  runAsNonRoot: true
+  runAsUser: 70
+  runAsGroup: 70
+
+resources: {}
+#  limits:
+#    cpu: 500m
+#    memory: 2Gi
+#  requests:
+#    cpu: 200m
+#    memory: 500Mi
+
+jobAnnotations: { }
+
+podAnnotations: { }
+
+podSecurityContext:
+  fsGroup: 70

 nodeSelector: { }


--- a/wg-access-server/Chart.yaml
+++ b/wg-access-server/Chart.yaml
-apiVersion: v2
-name: wg-access-server
-description: Helm Chart for wg-access-server
-type: application
-version: 1.0.1
-appVersion: "v0.4.6"
--- a/wg-access-server/templates/configmap.yaml
+++ b/wg-access-server/templates/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "wg-access-server-helm.fullname" . }}
-  labels:
-    {{- include "wg-access-server-helm.labels" . | nindent 4 }}
-data:
-  "config.yaml": |-
-{{ toYaml .Values.config.overrides | indent 4 }}
--- a/wg-access-server/templates/ingress.yaml
+++ b/wg-access-server/templates/ingress.yaml
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ include "wg-access-server-helm.fullname" . }}
-  labels:
-    {{- include "wg-access-server-helm.labels" . | nindent 4 }}
-  annotations:
-    {{- .Values.ingress.annotations | toYaml | nindent 4 }}
-spec:
-  rules:
-    - host: "{{ .Values.ingress.host }}"
-      http:
-        paths:
-          - path: "{{ .Values.ingress.path }}"
-            backend:
-              service:
-                name: {{ include "wg-access-server-helm.fullname" . }}
-                port:
-                  name: http
-            pathType: Prefix
--- a/wg-access-server/templates/secret.yaml
+++ b/wg-access-server/templates/secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "wg-access-server-helm.fullname" . }}
-  labels:
-    {{- include "wg-access-server-helm.labels" . | nindent 4 }}
-stringData:
-  WG_WIREGUARD_PRIVATE_KEY: "{{ .Values.config.privateKey }}"
-  WG_ADMIN_USERNAME: "{{ .Values.config.adminUsername }}"
-  WG_ADMIN_PASSWORD: "{{ .Values.config.adminPassword }}"
--- a/wg-access-server/templates/service.yaml
+++ b/wg-access-server/templates/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "wg-access-server-helm.fullname" . }}
-  labels:
-    {{- include "wg-access-server-helm.labels" . | nindent 4 }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: 80
-      targetPort: http
-      protocol: TCP
-      name: http
-    - port: 51820
-      targetPort: wireguard
-      protocol: UDP
-      name: wireguard
-  selector:
-    {{- include "wg-access-server-helm.selectorLabels" . | nindent 4 }}
No results found