333e638e24
## Why encapi is the new Postgres-backed Puppet ENC that replaces Cobbler (Go API + encapi-cli + terraform provider). It needs to run somewhere reachable by the puppet masters (`encapi-cli classify`) and every node's `enc_direct_facts` fact. Deploy it in k8s alongside artifactapi, exposed at `encapi.k8s.syd1.au.unkin.net`. ## Changes - add `apps/base/encapi/`: namespace, deployment (`git.unkin.net/unkin/encapi`, port 8000, `/healthz` probes), service, gateway + httproute (`encapi.k8s.syd1.au.unkin.net`, traefik-internal), configmap (DB coordinates), CNPG cluster + pooler (database `encapi`), and VaultAuth + VaultStaticSecrets (`postgres-credentials`, `environment`) - add `apps/overlays/au-syd1/encapi` overlay referencing the base - register `apps/overlays/*/encapi` in the platform ApplicationSet so ArgoCD picks it up ## Notes - Mirrors the artifactapi pattern (VaultAuth role `default`, namespace-scoped VSO paths `kv/kubernetes/namespace/encapi/default/*`). - Before first sync, seed the Vault KV secrets: `environment` must carry `DBPASS` (matching the CNPG owner password) and `ENCAPI_WRITE_TOKEN`; `postgres-credentials` carries the CNPG owner username/password. - `kustomize build apps/overlays/au-syd1/encapi` validates clean (11 resources). --------- Co-authored-by: unkinben <neotheo@gmail.com> Reviewed-on: #230 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
92 lines
2.2 KiB
YAML
92 lines
2.2 KiB
YAML
---
|
|
apiVersion: postgresql.cnpg.io/v1
|
|
kind: Cluster
|
|
metadata:
|
|
name: postgres
|
|
namespace: encapi
|
|
spec:
|
|
affinity:
|
|
podAntiAffinityType: preferred
|
|
bootstrap:
|
|
initdb:
|
|
database: encapi
|
|
encoding: UTF8
|
|
localeCType: C
|
|
localeCollate: C
|
|
owner: encapi
|
|
secret:
|
|
name: postgres-credentials
|
|
enablePDB: true
|
|
enableSuperuserAccess: false
|
|
failoverDelay: 0
|
|
imageName: ghcr.io/cloudnative-pg/postgresql:18.1-system-trixie
|
|
instances: 3
|
|
logLevel: info
|
|
maxSyncReplicas: 0
|
|
minSyncReplicas: 0
|
|
monitoring:
|
|
customQueriesConfigMap:
|
|
- key: queries
|
|
name: cnpg-default-monitoring
|
|
disableDefaultQueries: false
|
|
enablePodMonitor: false
|
|
postgresql:
|
|
parameters:
|
|
archive_mode: "on"
|
|
archive_timeout: 5min
|
|
dynamic_shared_memory_type: posix
|
|
effective_cache_size: 256MB
|
|
full_page_writes: "on"
|
|
log_destination: csvlog
|
|
log_directory: /controller/log
|
|
log_filename: postgres
|
|
log_rotation_age: "0"
|
|
log_rotation_size: "0"
|
|
log_truncate_on_rotation: "false"
|
|
logging_collector: "on"
|
|
max_connections: "200"
|
|
max_parallel_workers: "16"
|
|
max_replication_slots: "16"
|
|
max_worker_processes: "16"
|
|
shared_buffers: 128MB
|
|
shared_memory_type: mmap
|
|
ssl_max_protocol_version: TLSv1.3
|
|
ssl_min_protocol_version: TLSv1.3
|
|
wal_keep_size: 256MB
|
|
wal_level: logical
|
|
wal_log_hints: "on"
|
|
wal_receiver_timeout: 5s
|
|
wal_sender_timeout: 5s
|
|
syncReplicaElectionConstraint:
|
|
enabled: false
|
|
primaryUpdateMethod: restart
|
|
primaryUpdateStrategy: unsupervised
|
|
probes:
|
|
liveness:
|
|
isolationCheck:
|
|
connectionTimeout: 1000
|
|
enabled: true
|
|
requestTimeout: 1000
|
|
replicationSlots:
|
|
highAvailability:
|
|
enabled: true
|
|
slotPrefix: _cnpg_
|
|
synchronizeReplicas:
|
|
enabled: true
|
|
updateInterval: 30
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
requests:
|
|
cpu: 250m
|
|
memory: 256Mi
|
|
smartShutdownTimeout: 180
|
|
startDelay: 3600
|
|
stopDelay: 1800
|
|
storage:
|
|
resizeInUseVolumes: true
|
|
size: 10Gi
|
|
storageClass: cephrbd-fast-delete
|
|
switchoverDelay: 3600
|