building homelab cluster part 11
Table of Content
building homelab cluster part 11¶
I want to revisit Postgres Operator by Zalando I installed in part 9 and practice backup and restore using WAL-e/g.
Here is the plan.
- create a minio s3 bucket
- prepare access key and secret access key
- create a SOPS-encrypted secret on SOPS repository
- update postgres operator to use the secret
Minio Tenant¶
- create a bucket named "postgres" with "private" access policy
- create a policy "postgres-rw"
- create a user named "postgresadmin" and set "postgres-rw" policy
- generate access and secret key for this "postgresadmin" user
postgres-rw
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::postgres", "arn:aws:s3:::postgres/*"]
}
]
}
secret¶
Create a generic secret with environment variables.
# on SOPS repo
kubectl create secret generic postgres-backup -n postgres \
--from-literal=WAL_S3_BUCKET=postgres \
--from-literal=USE_WALG_BACKUP="true" \
--from-literal=USE_WALG_RESTORE="true" \
--from-literal=BACKUP_SCHEDULE='00 10 * * *' \
--from-literal=AWS_ACCESS_KEY_ID=access_key_here \
--from-literal=AWS_SECRET_ACCESS_KEY=secret_key_here \
--from-literal=AWS_S3_FORCE_PATH_STYLE="true" \
--from-literal=AWS_ENDPOINT=https://s3.blink-1x52.net \
--from-literal=AWS_REGION=homelab \
--from-literal=WALG_DISABLE_S3_SSE="true" \
--from-literal=BACKUP_NUM_TO_RETAIN="5" \
--from-literal=CLONE_USE_WALG_RESTORE="true" \
--dry-run=client -o yaml > postgres-backup.yaml
# encrypt
sops -i --encrypt postgres-backup.yaml
# git commit and push for flux to process
postgres operator helm values file¶
Update values file to use "postgres-backup" secret.
postgres-operator-values.yaml
diff --git a/infrastructure/homelab/controllers/postgres-operator-values.yaml b/infrastructure/homelab/controllers/postgres-operator-values.yaml
index 7993d0d..8020267 100644
--- a/infrastructure/homelab/controllers/postgres-operator-values.yaml
+++ b/infrastructure/homelab/controllers/postgres-operator-values.yaml
@@ -182,7 +182,7 @@ configKubernetes:
# namespaced name of the ConfigMap with environment variables to populate on every pod
# pod_environment_configmap: "default/my-custom-config"
# name of the Secret (in cluster namespace) with environment variables to populate on every pod
- # pod_environment_secret: "my-custom-secret"
+ pod_environment_secret: "postgres-backup"
# specify the pod management policy of stateful sets of Postgres clusters
pod_management_policy: "ordered_ready"
Update shell script to generate updated flux helmrelease manifest using values file.
diff --git a/infrastructure/homelab/controllers/postgres.sh b/infrastructure/homelab/controllers/postgres.sh
index 162dec5..ee28a95 100755
--- a/infrastructure/homelab/controllers/postgres.sh
+++ b/infrastructure/homelab/controllers/postgres.sh
@@ -13,4 +13,5 @@ flux create helmrelease postgres-operator \
--source=HelmRepository/postgres-operator \
--chart=postgres-operator \
--chart-version=1.11.0 \
+ --values=./postgres-operator-values.yaml \
--export >>postgres-operator.yaml
result¶
This did work out well, but since I create database in each namespace, I also need to create secret in each namespace. Doing the same using configmap (also encrypted using sops) was better solution.