diff --git a/README.md b/README.md index 3a6ce73..a6a694a 100644 --- a/README.md +++ b/README.md @@ -1,26 +1,100 @@ # CloudNativePG Cluster Chart -This [helm chart](https://small-hack.github.io/cloudnative-pg-tenant-chart/) is intended to be the Cluster helm chart component to the [CloudNativePG operator helm chart](https://github.com/cloudnative-pg/charts). +This [helm chart](https://small-hack.github.io/cloudnative-pg-tenant-chart/) was intended to be the Cluster helm chart component to the [CloudNativePG operator helm chart](https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg), but now serves mostly as a wrapper for their official [CloudNativePG cluster helm chart](https://github.com/cloudnative-pg/charts/tree/main/charts/cluster) that provides certificate and test app functionality. -Docs autogeneratated from the [values.yaml](charts/cloudnative-pg-cluster/values.yaml) are slowly being put together in the chart directory's [README.md](./charts/cloudnative-pg-cluster/README.md). +Docs auto-generated from the [values.yaml](charts/cloudnative-pg-cluster/values.yaml) are available in the chart directory's [README.md](./charts/cloudnative-pg-cluster/README.md). ## TLDR ```bash # add the helm repo locally -helm repo add cnpg https://small-hack.github.io/cloudnative-pg-cluster-chart +helm repo add cnpg-wrapper https://small-hack.github.io/cloudnative-pg-cluster-chart # get the values and edit them if needed -helm show values cnpg/cnpg-cluster > values.yaml +helm show values cnpg-wrapper/cnpg-cluster > values.yaml # install the chart -helm install cnpg cnpg/cnpg-cluster --values values.yaml +helm install cnpg cnpg-wrapper/cnpg-cluster --values values.yaml ``` ## Notes -### You must specify a bootstrap section +### Using the certficates -To use this chart you _have_ to specify either `bootstrap.initdb.database`/`bootstrap.initdb.owner` OR `bootstrap.recovery.source` in your helm parameters or values.yaml but you can't do both. +Certificates are generated using [CertManager](https://cert-manager.io/) to bootstrap self-signed CAs, Issuers and certs. To use them, please provide the following via your helm `values.yaml`: -You can see checkout the [CloudNativePG docs](https://cloudnative-pg.io/documentation/1.23/bootstrap/) for more info on the bootstrap section. +```yaml +# -- name to use for templating certs +name: "app-postgres" + +certificates: + server: + # -- enable using server certificates + enabled: true + # -- generate server certs using cert-manager. if true the following + # are ignored: certificates.serverTLSSecret, certificates.serverCASecret + generate: true + # -- name of existing Kubernetes Secret for the postgresql server TLS cert, + # ignored if certificates.generate is true + serverTLSSecret: "" + # -- name of existing Kubernetes Secret for the postgresql server Certificate + # Authority cert, ignored if certificates.generate is true + serverCASecret: "" + client: + # -- enable using client certificates + enabled: true + # -- generate client certs using cert-manager. if true the following are + # ignored: certificates.clientCASecret, certificates.replicationTLSSecret + generate: true + # -- name of existing Kubernetes Secret for the postgresql client Certificate + # Authority cert, ignored if certificates.generate is true + clientCASecret: "" + # -- name of existing Kubernetes Secret for the postgresql replication TLS + # cert ignored if certificates.generate is true + replicationTLSSecret: "" + user: + # -- create a certificate for a user to connect to postgres using CertManager + # requires server and client certificate generation enabled + enabled: true + # -- List of names of users to create a cert for, eg: the DbOwner specified earlier. + # This data populated into the commonName field of the certificate. + username: + - "my-app" +``` + +Then, if you're using our bundled upstream CNPG cluster chart, make sure you provide the following: + +```yaml +cnpgCluster: + # -- enable this to deploy the official CNPG cluster helm chart dep + # All other values here are passed directly to the their chart. See: + # https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/values.yaml + enabled: true + type: postgresql + mode: standalone + # -- see: https://cloudnative-pg.io/docs/1.28/certificates#client-certificate + certificates: + ## examples if using our certificates features of this chart. + ## NOTE: app-postgres should be replaced with whatever you set Values.name to + serverTLSSecret: "app-postgres-server-cert" + serverCASecret: "app-postgres-server-ca-key-pair" + clientCASecret: "app-postgres-client-ca-key-pair" + replicationTLSSecret: "app-postgres-client-cert" + + postgresql: + # -- records for the pg_hba.conf file. ref: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html + # this states that certs are required for access to the cluster, + # but you can change it to still allow passwords if you'd like + pg_hba: + - hostnossl all all 0.0.0.0/0 reject + - hostssl all all 0.0.0.0/0 cert clientcert=verify-full +``` + +### Using the test app + +The test app may be enabled by certificates as well as setting `testApp.enabled=true` in your helm parameters or in the `values.yaml` like this: +```yaml +testApp: + enabled: true +``` +This will create a very basic Deployment of `ghcr.io/cloudnative-pg/webtest` [as described in the official docs](https://cloudnative-pg.io/docs/1.28/ssl_connections#testing-the-connection-via-a-tls-certificate) that attempts to connect to your postgres cluster using full mTLS. diff --git a/charts/cloudnative-pg-cluster/Chart.yaml b/charts/cloudnative-pg-cluster/Chart.yaml index 5055f91..62a9919 100644 --- a/charts/cloudnative-pg-cluster/Chart.yaml +++ b/charts/cloudnative-pg-cluster/Chart.yaml @@ -2,10 +2,17 @@ apiVersion: v2 name: cnpg-cluster description: Create postgres tenant clusters managed by the CNPG Operator type: application -version: 0.8.0 +version: 1.0.0 + +dependencies: + - name: cluster + alias: cnpgCluster + version: 0.5.0 + repository: https://cloudnative-pg.github.io/charts + condition: cnpgCluster.enabled maintainers: - name: "cloudymax" - url: "https://github.com/cloudymax" + url: "https://cloudydev.net" - name: "jessebot" url: "https://jessebot.work" diff --git a/charts/cloudnative-pg-cluster/README.md b/charts/cloudnative-pg-cluster/README.md index 68eb9dd..2dc75b0 100644 --- a/charts/cloudnative-pg-cluster/README.md +++ b/charts/cloudnative-pg-cluster/README.md @@ -1,6 +1,6 @@ # cnpg-cluster -![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Create postgres tenant clusters managed by the CNPG Operator @@ -8,16 +8,19 @@ Create postgres tenant clusters managed by the CNPG Operator | Name | Email | Url | | ---- | ------ | --- | -| cloudymax | | | +| cloudymax | | | | jessebot | | | +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://cloudnative-pg.github.io/charts | cnpgCluster(cluster) | 0.5.0 | + ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| annotations."cnpg.io/skipEmptyWalArchiveCheck" | string | `"enabled"` | | -| backup | object | `{}` | if we should backup up this cluster, please see values.yaml for example | -| bootstrap | object | `{}` | boostrap method. see: https://cloudnative-pg.io/documentation/1.23/bootstrap/ | | certificates.client.clientCASecret | string | `""` | name of existing Kubernetes Secret for the postgresql client Certificate Authority cert, ignored if certificates.generate is true | | certificates.client.enabled | bool | `false` | enable using client certificates | | certificates.client.generate | bool | `false` | generate client certs using cert-manager. if true the following are ignored: certificates.clientCASecret, certificates.replicationTLSSecret | @@ -28,26 +31,20 @@ Create postgres tenant clusters managed by the CNPG Operator | certificates.server.serverTLSSecret | string | `""` | name of existing Kubernetes Secret for the postgresql server TLS cert, ignored if certificates.generate is true | | certificates.user.enabled | bool | `false` | create a certificate for a user to connect to postgres using CertManager requires server and client certificate generation enabled | | certificates.user.username | list | `["app"]` | List of names of users to create a cert for, eg: the DbOwner specified earlier. This data populated into the commonName field of the certificate. | -| enableSuperuserAccess | bool | `false` | CNPG disables the postgres superuser by default must be explicitly enabled | -| externalClusters | list | `[]` | | -| imageCatalog.create | bool | `true` | Whether to provision an image catalog. If imageCatalog.images is empty this option will be ignored. | -| imageCatalog.images | list | `[]` | List of images to be provisioned in an image catalog. | -| instances | int | `3` | number of postgres replicas minimum 1 required | -| managed | object | `{"roles":[]}` | See https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-RoleConfiguration for explanation of all options | -| monitoring.enablePodMonitor | bool | `false` | enable monitoring via Prometheus | -| name | string | `"cnpg"` | | -| postgresGID | int | `-1` | The GID of the postgres user inside the image, defaults to 26 | -| postgresUID | int | `-1` | The UID of the postgres user inside the image, defaults to 26 | -| postgresql.pg_hba | list | `["hostnossl all all 0.0.0.0/0 reject","hostssl all all 0.0.0.0/0 cert clientcert=verify-full"]` | records for the pg_hba.conf file. ref: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html | -| primaryUpdateStrategy | string | `"unsupervised"` | | -| resources | object | `{}` | | -| scheduledBackup | object | `{}` | schduled backups section, please see values.yaml for example | -| storage.size | string | `"1Gi"` | how much storage to allocate to the postgresql cluster | -| storage.storageClass | string | `"default"` | set the storage class of the PVC. | -| superuserSecret | string | `""` | name of existing secret to use as superuser redentials will be randomly generated if not specified. | +| cnpgCluster.additionalEnv[0].name | string | `"AWS_REQUEST_CHECKSUM_CALCULATION"` | | +| cnpgCluster.additionalEnv[0].value | string | `"when_required"` | | +| cnpgCluster.additionalEnv[1].name | string | `"AWS_RESPONSE_CHECKSUM_VALIDATION"` | | +| cnpgCluster.additionalEnv[1].value | string | `"when_required"` | | +| cnpgCluster.certificates | object | `{}` | see: https://cloudnative-pg.io/docs/1.28/certificates#client-certificate | +| cnpgCluster.cluster.instances | int | `3` | Number of instances | +| cnpgCluster.enabled | bool | `false` | enable this to deploy the official CNPG cluster helm chart dep All other values here are passed directly to the their chart. See: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/values.yaml | +| cnpgCluster.mode | string | `"standalone"` | | +| cnpgCluster.postgresql.pg_hba | list | `["hostnossl all all 0.0.0.0/0 reject","hostssl all all 0.0.0.0/0 cert clientcert=verify-full"]` | records for the pg_hba.conf file. ref: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html | +| cnpgCluster.primaryUpdateStrategy | string | `"unsupervised"` | | +| cnpgCluster.type | string | `"postgresql"` | | +| cnpgCluster.version.postgresql | string | `"16"` | | +| name | string | `"app-postgres"` | name to use for templating certs | | testApp.enabled | bool | `false` | | -| type | string | `"postgresql"` | Type of the CNPG database. Available types: * `postgresql` * `postgis` * `timescaledb` | -| version.postgresql | int | `17` | version of postgres to run in all tenant pods | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/cloudnative-pg-cluster/templates/cnpg_cluster.yaml b/charts/cloudnative-pg-cluster/templates/cnpg_cluster.yaml deleted file mode 100644 index c6d3290..0000000 --- a/charts/cloudnative-pg-cluster/templates/cnpg_cluster.yaml +++ /dev/null @@ -1,83 +0,0 @@ ---- -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: {{ .Values.name }} - {{- with .Values.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - # this solves an issue with an old boto version - env: - - name: AWS_REQUEST_CHECKSUM_CALCULATION - value: when_required - - name: AWS_RESPONSE_CHECKSUM_VALIDATION - value: when_required - - postgresUID: {{ include "cluster.postgresUID" . }} - postgresGID: {{ include "cluster.postgresGID" . }} - instances: {{ .Values.instances }} - imageName: "ghcr.io/cloudnative-pg/postgresql:{{ .Values.version.postgresql }}" - enableSuperuserAccess: {{ .Values.enableSuperuserAccess }} - superuserSecret: {{ .Values.superuserSecret }} - primaryUpdateStrategy: {{ .Values.primaryUpdateStrategy }} - {{- with .Values.backup }} - backup: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- if .Values.externalClusters }} - externalClusters: - {{- range $reg, $props := .Values.externalClusters }} - - name: {{ $props.name }} - {{- toYaml . | nindent 6 }} - {{- end }} - {{- end }} - monitoring: - enablePodMonitor: {{ .Values.monitoring.enablePodMonitor }} - {{- with .Values.postgresql }} - postgresql: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.resources }} - resources: - {{- toYaml . | nindent 4 }} - {{- end }} - storage: - size: {{ .Values.storage.size }} - {{- if ne .Values.storage.storageClass "default" }} - storageClass: {{ .Values.storage.storageClass }} - {{- end }} - {{- with .Values.bootstrap }} - bootstrap: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- if or .Values.certificates.server.enabled .Values.certificates.client.enabled }} - certificates: - {{- if and .Values.certificates.server.enabled }} - {{- if .Values.certificates.server.generate }} - serverTLSSecret: "{{ .Values.name }}-server-cert" - serverCASecret: "{{ .Values.name }}-server-ca-key-pair" - {{ else }} - serverTLSSecret: {{ .Values.certificates.server.serverTLSSecret }} - serverCASecret: {{ .Values.certificates.server.serverCASecret }} - {{- end }} - {{- end }} - {{- if and .Values.certificates.client.enabled }} - {{- if .Values.certificates.client.generate }} - clientCASecret: "{{ .Values.name }}-client-ca-key-pair" - replicationTLSSecret: "{{ .Values.name }}-client-cert" - {{ else }} - clientCASecret: {{ .Values.certificates.client.clientCASecret }} - replicationTLSSecret: {{ .Values.certificates.client.replicationTLSSecret }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.managed.roles }} - managed: - roles: - {{- range $reg, $props := .Values.managed.roles }} - - name: {{ $props.name }} - {{- toYaml . | nindent 6 }} - {{- end }} - {{- end }} diff --git a/charts/cloudnative-pg-cluster/templates/scheduled_backups.yaml b/charts/cloudnative-pg-cluster/templates/scheduled_backups.yaml deleted file mode 100644 index af0039b..0000000 --- a/charts/cloudnative-pg-cluster/templates/scheduled_backups.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.scheduledBackup }} ---- -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: {{ .Values.scheduledBackup.name }} -spec: - schedule: {{ .Values.scheduledBackup.spec.schedule }} - backupOwnerReference: {{ .Values.scheduledBackup.spec.backupOwnerReference }} - cluster: - name: {{ .Values.scheduledBackup.spec.cluster.name }} -{{- end }} diff --git a/charts/cloudnative-pg-cluster/values.yaml b/charts/cloudnative-pg-cluster/values.yaml index fc0a0ce..7908cf3 100644 --- a/charts/cloudnative-pg-cluster/values.yaml +++ b/charts/cloudnative-pg-cluster/values.yaml @@ -1,124 +1,5 @@ -name: "cnpg" - -version: - # -- version of postgres to run in all tenant pods - postgresql: 17 - - # -- Cluster annotations -annotations: - cnpg.io/skipEmptyWalArchiveCheck: enabled - -# -- number of postgres replicas -# minimum 1 required -instances: 3 - -# -- CNPG disables the postgres superuser by default -# must be explicitly enabled -enableSuperuserAccess: false - -# -- name of existing secret to use as superuser redentials -# will be randomly generated if not specified. -superuserSecret: "" - -imageCatalog: - # -- Whether to provision an image catalog. If imageCatalog.images is empty this option will be ignored. - create: true - # -- List of images to be provisioned in an image catalog. - images: [] - # - image: ghcr.io/your_repo/your_image:your_tag - # major: 17 - -# Examples of rolling update strategy: -# unsupervised: automated update of the primary once all -# replicas have been upgraded (default) -# supervised: requires manual supervision to perform -# the switchover of the primary -primaryUpdateStrategy: unsupervised - -# -- Type of the CNPG database. Available types: -# * `postgresql` -# * `postgis` -# * `timescaledb` -type: postgresql - -# -- boostrap method. see: https://cloudnative-pg.io/documentation/1.23/bootstrap/ -bootstrap: {} - # -- for initializing a fresh cluster - # initdb: - # # -- initial database to create - # database: app - # # -- owner of the initial database that is created above - # owner: app - # secret: - # name: app-secret - # list of SQL commands to run as part of the init scripts, example: - # postInitSQL: - # - CREATE ROLE friend - # - # for restoring a cluster - # recovery: - # # -- Specify an external cluster to bootstrap from - # source: clusterBackup - -# -- See https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-RoleConfiguration for explanation of all options -managed: - roles: [] - # - name: friend - # ensure: present - # comment: "friendly user" - # login: true - # superuser: false - # createdb: false - # createrole: false - # inRoles: [] - -externalClusters: [] -# # -- name of external/existing cluster -# - name: clusterBackup -# barmanObjectStore: -# destinationPath: "s3://backups" -# endpointURL: "http://HOST:PORT" -# s3Credentials: -# accessKeyId: -# # -- existing Kubernetes Secret to use for S3 access key ID -# name: "aws-creds" -# # -- key in Kubernetes Secret to use for S3 access key ID -# key: "ACCESS_KEY_ID" -# secretAccessKey: -# # -- existing Kubernetes Secret to use for S3 secret key -# name: "aws-creds" -# # -- key in Kubernetes Secret to use for S3 secret key -# key: "ACCESS_SECRET_KEY" -# wal: -# maxParallel: 8 - -# -- if we should backup up this cluster, please see values.yaml for example -backup: {} -# retentionPolicy: "30d" -# barmanObjectStore: -# destinationPath: "s3://backups" -# endpointURL: "http://HOST:PORT" -# s3Credentials: -# accessKeyId: -# # -- existing Kubernetes Secret to use for S3 access key ID -# name: "aws-creds" -# # -- key in Kubernetes Secret to use for S3 access key ID -# key: "ACCESS_KEY_ID" -# secretAccessKey: -# # -- existing Kubernetes Secret to use for S3 secret key -# name: "aws-creds" -# # -- key in Kubernetes Secret to use for S3 secret key -# key: "ACCESS_SECRET_KEY" - -# -- schduled backups section, please see values.yaml for example -scheduledBackup: {} -# name: example-backup -# spec: -# # -- crontab style schedule to run the backups -# schedule: "0 0 0 * * *" -# backupOwnerReference: self -# cluster: -# name: pg-backup +# -- name to use for templating certs +name: "app-postgres" certificates: server: @@ -154,41 +35,47 @@ certificates: username: - "app" -# -- The UID of the postgres user inside the image, defaults to 26 -postgresUID: -1 - -# -- The GID of the postgres user inside the image, defaults to 26 -postgresGID: -1 - -monitoring: - # -- enable monitoring via Prometheus - enablePodMonitor: false - -postgresql: - # -- records for the pg_hba.conf file. ref: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html - pg_hba: - - hostnossl all all 0.0.0.0/0 reject - - hostssl all all 0.0.0.0/0 cert clientcert=verify-full - -storage: - # -- how much storage to allocate to the postgresql cluster - size: 1Gi - # -- set the storage class of the PVC. - storageClass: default - -# from https://cloudnative-pg.io/documentation/1.22/resource_management/ -resources: {} - # -- minimum resources guaranteed for pods - # requests: - # cpu: "50m" - # memory: "64Mi" - # -- resource limit for pods - # limits: - # cpu: "1000m" - # memory: "512Mi" - testApp: ## -- create a test deployment to verify db connectivity. # Populates user and DB from the Initdb owner and database values # Requires server, client, and user certificate generation to be enabled. enabled: false + +cnpgCluster: + # -- enable this to deploy the official CNPG cluster helm chart dep + # All other values here are passed directly to the their chart. See: + # https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/values.yaml + enabled: false + type: postgresql + version: + postgresql: "16" + + mode: standalone + + # -- see: https://cloudnative-pg.io/docs/1.28/certificates#client-certificate + certificates: {} + ## examples if using our certificates features of this chart. + ## NOTE: app-postgres should be replaced with whatever you set Values.name to + # serverTLSSecret: "app-postgres-server-cert" + # serverCASecret: "app-postgres-server-ca-key-pair" + # clientCASecret: "app-postgres-client-ca-key-pair" + # replicationTLSSecret: "app-postgres-client-cert" + + cluster: + # -- Number of instances + instances: 3 + + postgresql: + # -- records for the pg_hba.conf file. ref: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html + pg_hba: + - hostnossl all all 0.0.0.0/0 reject + - hostssl all all 0.0.0.0/0 cert clientcert=verify-full + + primaryUpdateStrategy: unsupervised + + # this solves an issue with an old boto version + additionalEnv: + - name: AWS_REQUEST_CHECKSUM_CALCULATION + value: when_required + - name: AWS_RESPONSE_CHECKSUM_VALIDATION + value: when_required