From 6f2aa0e90756f61b6d5a2fb0ea41ca2979c30ef8 Mon Sep 17 00:00:00 2001 From: Erki Aas Date: Mon, 22 Dec 2025 18:39:26 +0200 Subject: [PATCH] Dedicated postgres for harbor --- harbor-operator/application-extras.yml | 93 ++++++++++++++++++++++++++ harbor-operator/postgres.yaml | 93 -------------------------- 2 files changed, 93 insertions(+), 93 deletions(-) delete mode 100644 harbor-operator/postgres.yaml diff --git a/harbor-operator/application-extras.yml b/harbor-operator/application-extras.yml index 20db5c4..4f521c4 100644 --- a/harbor-operator/application-extras.yml +++ b/harbor-operator/application-extras.yml @@ -55,3 +55,96 @@ spec: resources: limits: memory: 5Gi +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: postgres +spec: + revisionHistoryLimit: 0 + serviceName: postgres + selector: + matchLabels: + app: postgres + replicas: 1 + template: + metadata: + labels: + app: postgres + annotations: + prometheus.io/port: '9187' + prometheus.io/scrape: 'true' + spec: + containers: + - name: postgres + image: mirror.gcr.io/library/postgres:15 + imagePullPolicy: Always + env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: postgres-secrets + key: POSTGRES_PASSWORD + - name: POSTGRES_USER + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POSTGRES_DB + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: postgres-data + mountPath: /var/lib/postgresql/data + - name: postgres-init + mountPath: /docker-entrypoint-initdb.d + volumes: + - name: postgres-init + configMap: + name: postgres-init-config + volumeClaimTemplates: + - metadata: + name: postgres-data + spec: + storageClassName: ceph-rbd + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi +--- +apiVersion: codemowers.cloud/v1beta1 +kind: SecretClaim +metadata: + name: postgres-secrets +spec: + size: 32 + mapping: + - key: POSTGRES_PASSWORD + value: "%(plaintext)s" + - key: EXPORTER_PASSWORD + value: "%(plaintext)s" +--- +apiVersion: v1 +kind: Service +metadata: + name: postgres +spec: + ports: + - protocol: TCP + port: 5432 + selector: + app: postgres +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: postgres-init-config +data: + initdb.sql: | + -- create a read-only monitoring user for exporters + CREATE USER exporter WITH PASSWORD 'exporter'; + -- grant metrics/monitoring related permissions + GRANT pg_read_all_stats TO exporter; + GRANT SELECT ON pg_catalog.pg_replication_slots TO exporter; + GRANT CONNECT ON DATABASE "${POSTGRES_DB:-postgres}" TO exporter; diff --git a/harbor-operator/postgres.yaml b/harbor-operator/postgres.yaml deleted file mode 100644 index fbb6f7d..0000000 --- a/harbor-operator/postgres.yaml +++ /dev/null @@ -1,93 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: postgres -spec: - revisionHistoryLimit: 0 - serviceName: postgres - selector: - matchLabels: - app: postgres - replicas: 1 - template: - metadata: - labels: - app: postgres - annotations: - prometheus.io/port: '9187' - prometheus.io/scrape: 'true' - spec: - containers: - - name: postgres - image: mirror.gcr.io/library/postgres:15 - imagePullPolicy: Always - env: - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: postgres-secrets - key: POSTGRES_PASSWORD - - name: POSTGRES_USER - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POSTGRES_DB - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: postgres-data - mountPath: /var/lib/postgresql/data - - name: postgres-init - mountPath: /docker-entrypoint-initdb.d - volumes: - - name: postgres-init - configMap: - name: postgres-init-config - volumeClaimTemplates: - - metadata: - name: postgres-data - spec: - storageClassName: ceph-rbd - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 2Gi ---- -apiVersion: codemowers.cloud/v1beta1 -kind: SecretClaim -metadata: - name: postgres-secrets -spec: - size: 32 - mapping: - - key: POSTGRES_PASSWORD - value: "%(plaintext)s" - - key: EXPORTER_PASSWORD - value: "%(plaintext)s" ---- -apiVersion: v1 -kind: Service -metadata: - name: postgres -spec: - ports: - - protocol: TCP - port: 5432 - selector: - app: postgres ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: postgres-init-config -data: - initdb.sql: | - -- create a read-only monitoring user for exporters - CREATE USER exporter WITH PASSWORD 'exporter'; - -- grant metrics/monitoring related permissions - GRANT pg_read_all_stats TO exporter; - GRANT SELECT ON pg_catalog.pg_replication_slots TO exporter; - GRANT CONNECT ON DATABASE "${POSTGRES_DB:-postgres}" TO exporter;