building homelab cluster part 11

---

Table of Content

building homelab cluster part 11

I want to revisit Postgres Operator by Zalando I installed in part 9 and practice backup and restore using WAL-e/g.

Here is the plan.

• create a minio s3 bucket
• prepare access key and secret access key
• create a SOPS-encrypted secret on SOPS repository
• update postgres operator to use the secret

Minio Tenant

• create a bucket named "postgres" with "private" access policy
• create a policy "postgres-rw"
• create a user named "postgresadmin" and set "postgres-rw" policy
• generate access and secret key for this "postgresadmin" user

postgres-rw

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": ["arn:aws:s3:::postgres", "arn:aws:s3:::postgres/*"]
    }
  ]
}

secret

Create a generic secret with environment variables.

# on SOPS repo
kubectl create secret generic postgres-backup -n postgres \
    --from-literal=WAL_S3_BUCKET=postgres \
    --from-literal=USE_WALG_BACKUP="true" \
    --from-literal=USE_WALG_RESTORE="true" \
    --from-literal=BACKUP_SCHEDULE='00 10 * * *' \
    --from-literal=AWS_ACCESS_KEY_ID=access_key_here \
    --from-literal=AWS_SECRET_ACCESS_KEY=secret_key_here \
    --from-literal=AWS_S3_FORCE_PATH_STYLE="true" \
    --from-literal=AWS_ENDPOINT=https://s3.blink-1x52.net \
    --from-literal=AWS_REGION=homelab \
    --from-literal=WALG_DISABLE_S3_SSE="true" \
    --from-literal=BACKUP_NUM_TO_RETAIN="5" \
    --from-literal=CLONE_USE_WALG_RESTORE="true" \
    --dry-run=client -o yaml > postgres-backup.yaml

# encrypt
sops -i --encrypt postgres-backup.yaml

# git commit and push for flux to process

postgres operator helm values file

Update values file to use "postgres-backup" secret.

postgres-operator-values.yaml

diff --git a/infrastructure/homelab/controllers/postgres-operator-values.yaml b/infrastructure/homelab/controllers/postgres-operator-values.yaml
index 7993d0d..8020267 100644
--- a/infrastructure/homelab/controllers/postgres-operator-values.yaml
+++ b/infrastructure/homelab/controllers/postgres-operator-values.yaml
@@ -182,7 +182,7 @@ configKubernetes:
   # namespaced name of the ConfigMap with environment variables to populate on every pod
   # pod_environment_configmap: "default/my-custom-config"
   # name of the Secret (in cluster namespace) with environment variables to populate on every pod
-  # pod_environment_secret: "my-custom-secret"
+  pod_environment_secret: "postgres-backup"

   # specify the pod management policy of stateful sets of Postgres clusters
   pod_management_policy: "ordered_ready"

Update shell script to generate updated flux helmrelease manifest using values file.

diff --git a/infrastructure/homelab/controllers/postgres.sh b/infrastructure/homelab/controllers/postgres.sh
index 162dec5..ee28a95 100755
--- a/infrastructure/homelab/controllers/postgres.sh
+++ b/infrastructure/homelab/controllers/postgres.sh
@@ -13,4 +13,5 @@ flux create helmrelease postgres-operator \
        --source=HelmRepository/postgres-operator \
        --chart=postgres-operator \
        --chart-version=1.11.0 \
+       --values=./postgres-operator-values.yaml \
        --export >>postgres-operator.yaml

result

This did work out well, but since I create database in each namespace, I also need to create secret in each namespace. Doing the same using configmap (also encrypted using sops) was better solution.

and ... wip 2024-04-23