Crunchy DB Samples

README.md

@@ -6,6 +6,7 @@ You fill find useful docs on how to do things specific to the BCGov's implementa
 
 # Index
 
-1. [Network Policy Demo Project](./labs/netpol-demo-project);
-2. [Network Policy QuickStart](./labs/netpol-quickstart).
-
+1. [Network Policy Demo Project](./labs/netpol-demo-project)
+2. [Network Policy QuickStart](./labs/netpol-quickstart)
+3. [Crunchy DB High Availability Sample](./crunchydb/high-availablility/)
+4. [Crunchy DB Monitoring QuickStart](./crunchydb/monitoring/)

crunchydb/high-availablility/NetworkPolicy.yaml

@@ -0,0 +1,42 @@
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-crunchydb-ha
+  labels:
+    postgres-operator.crunchydata.com/cluster: hippo-ha
+spec:
+  podSelector:
+    matchLabels:
+      postgres-operator.crunchydata.com/cluster: hippo-ha
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              postgres-operator.crunchydata.com/cluster: hippo-ha
+      ports:
+        - protocol: TCP
+          port: 5432
+        - protocol: TCP
+          port: 8008
+        - protocol: TCP
+          port: 2022
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-crunchydb-monitoring
+  labels:
+    postgres-operator.crunchydata.com/cluster: hippo-ha
+spec:
+  podSelector:
+    matchLabels:
+      postgres-operator.crunchydata.com/cluster: hippo-ha
+  ingress:
+    - from:
+        - namespaceSelector:
+            name: be1c6b
+            environment: tools
+      ports:
+        - protocol: TCP
+          port: 9187

crunchydb/high-availablility/PostgresCluster.yaml

@@ -0,0 +1,66 @@
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: hippo-ha
+spec:
+  monitoring:
+    pgmonitor:
+      exporter:
+        image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-5.0.3-0
+  image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:centos8-13.4-1
+  postgresVersion: 13
+  instances:
+    - name: pgha1
+      replicas: 3
+      dataVolumeClaimSpec:
+        accessModes:
+        - "ReadWriteOnce"
+        resources:
+          requests:
+            storage: 1Gi
+        storageClassName: netapp-block-standard
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 1
+            podAffinityTerm:
+              topologyKey: kubernetes.io/hostname
+              labelSelector:
+                matchLabels:
+                  postgres-operator.crunchydata.com/cluster: hippo-ha
+                  postgres-operator.crunchydata.com/instance-set: pgha1
+  backups:
+    pgbackrest:
+      global:
+        repo1-retention-full: "2"
+      image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:centos8-2.35-0
+      repos:
+      - name: repo1
+        schedules:
+          full: 0 1 * * *
+          incremental: 0 */4 * * *
+        volume:
+          volumeClaimSpec:
+            accessModes:
+            - "ReadWriteOnce"
+            resources:
+              requests:
+                storage: 1Gi
+            storageClassName: netapp-file-backup
+  proxy:
+    pgBouncer:
+      config:
+        global:
+          client_tls_sslmode: disable
+      image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:centos8-1.15-3
+      replicas: 2
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 1
+            podAffinityTerm:
+              topologyKey: kubernetes.io/hostname
+              labelSelector:
+                matchLabels:
+                  postgres-operator.crunchydata.com/cluster: hippo-ha
+                  postgres-operator.crunchydata.com/role: pgbouncer

crunchydb/high-availablility/README.md

@@ -0,0 +1,74 @@
+# Sample HA CrunchyDB PostgresCluster
+
+This is a sample `PostgresCluster` adapted from the example at <https://github.com/CrunchyData/postgres-operator-examples/tree/main/kustomize/high-availability>.
+
+You can find a full tutorial and docs on CrunchyDB at <https://access.crunchydata.com/documentation/postgres-operator/5.0.0/tutorial/>.
+
+In this example, my license plate is `be1c6b`.
+
+`NetworkPolicy.yaml` has a sample NetworkPolicy for allowing the cluster pods to talk to each other, and the one needed by Monitoring for access.
+
+`RoleBinding` has the Role and RoleBinding needed by the Monitoring stack.
+
+`PostgresCluster` has the sample PostgresCluster with 3 replicas, backups, and monitoring.
+
+## Monitoring Sidecar
+
+The monitoring side car is added like this.
+
+```yaml
+spec:
+  monitoring:
+    pgmonitor:
+      exporter:
+        image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-5.0.3-0
+```
+
+## Storage Class
+
+Postgres works best on block storage.
+
+```yaml
+spec:
+  instances:
+    - name: pgha1
+      dataVolumeClaimSpec:
+        storageClassName: netapp-block-standard
+```
+
+## Backups
+
+Keep 2 copies of full backups.
+
+```yaml
+spec:
+  backups:
+    pgbackrest:
+      global:
+        repo1-retention-full: "2"
+```
+
+Set the cron schedule for full and incremental backups.
+
+```yaml
+spec:
+  backups:
+    pgbackrest:
+      repos:
+      - name: repo1
+        schedules:
+          full: 0 1 * * *
+          incremental: 0 */4 * * *
+```
+
+Set the backups to go to a PVC that is [backed up](https://developer.gov.bc.ca/OCP4-Backup-and-Restore).
+
+```yaml
+spec:
+  backups:
+    pgbackrest:
+      repos:
+      - name: repo1
+        volume:
+            storageClassName: netapp-file-backup
+```

crunchydb/high-availablility/RoleBinding.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/name: postgres-operator-monitoring
+    vendor: crunchydata
+  name: crunchy-monitoring
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    vendor: crunchydata
+  name: crunchy-monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: crunchy-monitoring
+subjects:
+- kind: ServiceAccount
+  name: prometheus-sa
+  namespace: be1c6b-tools

crunchydb/monitoring/README.md

@@ -0,0 +1,137 @@
+# Crunchy DB PGO Monitoring
+
+You can install one Crunchy Monitoring stack in a tools namespace and monitor all your PGO clusters. In these directions replace `LICENSE` with the license plate of your namespaces.
+
+## Install monitoring stack
+
+Use this to install the Crunchy DB Monitoring stack into your tools namespace to monitor all your PGO instances.
+
+Edit `kustomization.yaml` and set your tools namespace.
+
+```yaml
+namespace: LICENSE-tools
+```
+
+Edit `grafana-oauth.yaml` and set `CHANGEME` to your tools namespace.
+
+```yaml
+- '--openshift-sar={"namespace": "LICENSE-tools", "resource": "services", "verb": "get"}'
+```
+
+Build the manifest. Note that `oc apply -k` seems to not work here due to using an older version of Kustomize.
+
+```bash
+kustomize build . -o crunchy-monitoring.yaml
+```
+
+Edit the output manifest `crunchy-monitoring.yaml`.
+
+First, find the ConfigMap for `alertmanager.yml` and set a better receiver for the alerts.
+
+```yaml
+    global:
+        smtp_smarthost: "apps.smtp.gov.bc.ca:25"
+        smtp_require_tls: false
+        smtp_from: 'Alertmanager <[email protected]>'
+```
+
+```yaml
+    receivers:
+    - name: 'default-receiver'
+      email_configs:
+      - to: '[email protected]'
+        send_resolved: true
+```
+
+Then find the ConfigMap for `prometheus.yml` and add the namespaces you want to monitor.
+
+```yaml
+    scrape_configs:
+    - job_name: 'crunchy-postgres-exporter'
+      kubernetes_sd_configs:
+      - role: pod
+        namespaces:
+          names:
+            - LICENSE-tools
+            - LICENSE-dev
+            - LICENSE-test
+            - LICENSE-prod
+```
+
+Finally, create all the items in the manifest.
+
+```bash
+oc -n LICENSE-tools create -f crunchy-monitoring.yaml
+```
+
+## Add monitoring sidecar to your PostgresCluster
+
+Edit your `PostgresCluster` to include the monitoring container as a sidecar
+
+```yaml
+spec:
+  monitoring:
+    pgmonitor:
+      exporter:
+        image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-5.0.3-0
+```
+
+Add a `Role` and `RoleBinding` to allow access from your tools namespace where you installed the monitoring.
+
+```yaml
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/name: postgres-operator-monitoring
+    vendor: crunchydata
+  name: crunchy-monitoring
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    vendor: crunchydata
+  name: crunchy-monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: crunchy-monitoring
+subjects:
+- kind: ServiceAccount
+  name: prometheus-sa
+  namespace: LICENSE-tools
+```
+
+Add a NetworkPolicy to allow the monitor to connect to your pods. Make sure `hippo` is changed to your `PostgresCluster` name.
+
+```yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-crunchydb-monitoring
+  labels:
+    postgres-operator.crunchydata.com/cluster: hippo
+spec:
+  podSelector:
+    matchLabels:
+      postgres-operator.crunchydata.com/cluster: hippo
+  ingress:
+    - from:
+        - namespaceSelector:
+            name: LICENSE
+            environment: tools
+      ports:
+        - protocol: TCP
+          port: 9187
+```