From b23a007672fab59c2ff63c18faa3191f10b2739f Mon Sep 17 00:00:00 2001 From: Erki Aas Date: Mon, 22 Dec 2025 18:34:13 +0200 Subject: [PATCH] Dedicated postgres for harbor --- harbor-operator/postgres.yaml | 93 +++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 harbor-operator/postgres.yaml diff --git a/harbor-operator/postgres.yaml b/harbor-operator/postgres.yaml new file mode 100644 index 0000000..fbb6f7d --- /dev/null +++ b/harbor-operator/postgres.yaml @@ -0,0 +1,93 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: postgres +spec: + revisionHistoryLimit: 0 + serviceName: postgres + selector: + matchLabels: + app: postgres + replicas: 1 + template: + metadata: + labels: + app: postgres + annotations: + prometheus.io/port: '9187' + prometheus.io/scrape: 'true' + spec: + containers: + - name: postgres + image: mirror.gcr.io/library/postgres:15 + imagePullPolicy: Always + env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: postgres-secrets + key: POSTGRES_PASSWORD + - name: POSTGRES_USER + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POSTGRES_DB + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: postgres-data + mountPath: /var/lib/postgresql/data + - name: postgres-init + mountPath: /docker-entrypoint-initdb.d + volumes: + - name: postgres-init + configMap: + name: postgres-init-config + volumeClaimTemplates: + - metadata: + name: postgres-data + spec: + storageClassName: ceph-rbd + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi +--- +apiVersion: codemowers.cloud/v1beta1 +kind: SecretClaim +metadata: + name: postgres-secrets +spec: + size: 32 + mapping: + - key: POSTGRES_PASSWORD + value: "%(plaintext)s" + - key: EXPORTER_PASSWORD + value: "%(plaintext)s" +--- +apiVersion: v1 +kind: Service +metadata: + name: postgres +spec: + ports: + - protocol: TCP + port: 5432 + selector: + app: postgres +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: postgres-init-config +data: + initdb.sql: | + -- create a read-only monitoring user for exporters + CREATE USER exporter WITH PASSWORD 'exporter'; + -- grant metrics/monitoring related permissions + GRANT pg_read_all_stats TO exporter; + GRANT SELECT ON pg_catalog.pg_replication_slots TO exporter; + GRANT CONNECT ON DATABASE "${POSTGRES_DB:-postgres}" TO exporter;