383 lines
10 KiB
YAML
383 lines
10 KiB
YAML
---
|
|
|
|
# Name of the job to generate
|
|
# Also used to controler service names
|
|
instance: postgres
|
|
|
|
pg:
|
|
|
|
vault:
|
|
pki:
|
|
ou: Postgres
|
|
|
|
# List of vault policies to attach to the task
|
|
policies:
|
|
- '[[ .instance ]][[ .consul.suffix ]]'
|
|
|
|
database:
|
|
role: '[[ .instance ]]-admin'
|
|
pgrole: dba
|
|
|
|
# Random secrets to generate if missing, and store in vault KV
|
|
rand_secrets:
|
|
fields:
|
|
- pg_pwd
|
|
- api_pwd
|
|
- monitor_pwd
|
|
- replicator_pwd
|
|
- rewind_pwd
|
|
- vault_initial_pwd
|
|
|
|
# Postgres server settings
|
|
server:
|
|
# The image to use
|
|
image: '[[ .docker.repo ]]patroni:15.24.3-2'
|
|
|
|
# Number of postgres instance. Patroni will handle leader election and replication
|
|
count: 1
|
|
|
|
# Optional en vars to pass to the container
|
|
# You should set PGBACKREST_XXX variable if you intend to use the back service
|
|
# Eg
|
|
# env:
|
|
# PGBACKREST_PROCESS_MAX: 4
|
|
# PGBACKREST_REPO1_RETENTION_FULL: 1
|
|
# PGBACKREST_REPO1_RETENTION_DIFF: 7
|
|
# PGBACKREST_REPO1_TYPE: sftp
|
|
# PGBACKREST_REPO1_SFTP_HOST: pbs.lapiole.org
|
|
# PGBACKREST_REPO1_SFTP_HOST_USER: pitr
|
|
# PGBACKREST_REPO1_PATH: /postgres/pgbackrest
|
|
# PGBACKREST_REPO1_SFTP_HOST_KEY_HASH_TYPE: sha256
|
|
# # awk '{print $2}' ssh_host_ecdsa_key.pub | base64 -d | sha256sum
|
|
# PGBACKREST_REPO1_SFTP_HOST_FINGERPRINT: ce6eb1c79ce6596d7580f3b08021b48e39e5a30f2fd751a7fa82b480d821eb99
|
|
# PGBACKREST_REPO1_SFTP_HOST_KEY_CHECK_TYPE: fingerprint
|
|
env:
|
|
PGBACKREST_STANZA: '[[ .instance ]]'
|
|
|
|
nomad:
|
|
# Set higher priority for the postgres job
|
|
priority: 80
|
|
# Enforce running on distinct hosts
|
|
constraints:
|
|
- operator: distinct_hosts
|
|
value: true
|
|
|
|
# In recovery mode, neither patroni nor postgres will be started. The container will start and wait for manual recovery
|
|
recovery: false
|
|
|
|
# Recovery configuration to pass to patroni config
|
|
recovery_conf: {}
|
|
|
|
# How many nodes should use synchronous replication. No effect unless count > 1
|
|
synchronous_node_count: 0
|
|
|
|
# Postgres parameters
|
|
# The following memory related settings can be expressed as a percentage, and wil be computed based on the memory allocation of the container
|
|
# shared_buffers effective_cache_size maintenance_work_mem wal_buffers work_mem
|
|
parameters:
|
|
log_line_prefix: "'[%m] u=%u,d=%d,a=%a,c=%h,xid=%x '"
|
|
wal_compression: zstd
|
|
log_min_duration_statement: 2000
|
|
log_timezone: '{{ env "TZ" }}'
|
|
timezone: '{{ env "TZ" }}'
|
|
log_destination: stderr
|
|
log_directory: /proc/1/fd
|
|
log_filename: 1
|
|
#logging_collector: on
|
|
#log_truncate_on_rotation: on
|
|
#log_rotation_size: 0
|
|
#log_rotation_age: 1440
|
|
log_statement: ddl
|
|
log_connections: on
|
|
log_disconnections: on
|
|
datestyle: 'ISO, DMY'
|
|
autovacuum_vacuum_threshold: 500
|
|
autovacuum_analyze_threshold: 500
|
|
autovacuum_vacuum_scale_factor: 0.1
|
|
autovacuum_analyze_scale_factor: 0.05
|
|
shared_buffers: 50%
|
|
maintenance_work_mem: 5%
|
|
work_mem: 1%
|
|
wal_keep_size: 512
|
|
|
|
# You can configure ldap auth for postgres
|
|
# users needing ldap auth should be members of the ldap_roles role in postgres
|
|
ldap_auth:
|
|
|
|
# Is the auth enabled
|
|
enabled: false
|
|
|
|
# List of servers to try to connect to
|
|
servers:
|
|
- localhost
|
|
|
|
# Port
|
|
port: 389
|
|
|
|
# Should StartTLS be used to connect
|
|
starttls: true
|
|
|
|
# The base DN where postgres will start looking for users
|
|
base_dn: OU=People,DC=example,DC=org
|
|
|
|
# Search filter to find matching users
|
|
search_filter: "(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_DBA,OU=Roles,DC=example,DC=org)(sAMAccountName=$username))"
|
|
|
|
# Optional bind DN and password to do the search operation
|
|
# If undefined, the search will be done anonymously
|
|
#bind_dn: CN=Postgres,OU=Apps,DC=example,DC=org
|
|
bind_password: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.ldap_pwd }}{{ end }}'
|
|
|
|
# Resource allocation for the container
|
|
resources:
|
|
cpu: 1000
|
|
memory: 1024
|
|
|
|
# URL of the service as seen from the outside
|
|
# This is used to initialize connection from vault to handle database secrets
|
|
# public_url: postgres://postgres.example.org:5432
|
|
|
|
traefik:
|
|
|
|
proto: tcp
|
|
|
|
# List of entrypoint the service will listen to
|
|
entrypoints:
|
|
- postgres
|
|
|
|
prometheus:
|
|
enabled: '[[ .prometheus.available ]]'
|
|
metrics_url: http://localhost:9187
|
|
|
|
# Backup service uses pgbackrest to perform
|
|
# WAL archive, and regular full/incr/diff backups
|
|
backup:
|
|
|
|
# Additional env var.
|
|
# Note that pg.server.env will be inherited so PGBACKREST config only needs to be set there
|
|
env: {}
|
|
|
|
# pgbackrest based backups
|
|
pgbackrest:
|
|
enabled: false
|
|
|
|
# Schedules for backups. Empty string to disable
|
|
cron:
|
|
full: 15 02 * * sun
|
|
diff: 15 02 * * mon,tue,wed,thu,fri,sat
|
|
incr: ''
|
|
|
|
# pg_dump based backups
|
|
dumps:
|
|
enabled: false
|
|
format: custom
|
|
compression: 6
|
|
cron: 39 03 * * *
|
|
|
|
# Resource allocations
|
|
resources:
|
|
cpu: 300
|
|
memory: 50
|
|
memory_max: 256
|
|
|
|
# Postgres exporter for prometheus
|
|
# Only used if prometheus.enabled is true
|
|
exporter:
|
|
version: 0.15.0
|
|
# Image to use
|
|
image: '[[ .docker.repo ]]postgres-exporter:[[ .pg.exporter.version ]]-1'
|
|
# Additional env var
|
|
env: {}
|
|
# Resources
|
|
resources:
|
|
cpu: 50
|
|
memory: 32
|
|
|
|
# manage can create database, users and sync permissions from LDAP (using ldap2pg)
|
|
manage:
|
|
# Image to use
|
|
image: '[[ .docker.repo ]]ldap2pg:6.0-10'
|
|
|
|
# Resource allocation
|
|
resources:
|
|
cpu: 50
|
|
memory: 32
|
|
|
|
# Services to wait before running
|
|
wait_for:
|
|
- service: 'master.[[ .instance ]]'
|
|
|
|
# Additional env var
|
|
env:
|
|
WAIT_FOR_TARGETS: localhost:5432
|
|
|
|
# Connection to postgres through the service mesg
|
|
consul:
|
|
connect:
|
|
upstreams:
|
|
- destination_name: "[[ .instance ]]"
|
|
local_bind_port: 5432
|
|
|
|
# List of databases to create (so permissions can be applied)
|
|
# For each database, a role with the same name (and NOLOGIN) will be created and be owner of the database
|
|
# databases:
|
|
# - name: vaultwarden
|
|
# - name: odoo
|
|
# owner: erp
|
|
# encoding: UTF-8
|
|
# locale: fr_FR.utf8
|
|
# template: template1
|
|
# extensions:
|
|
# - uuid-ossp
|
|
databases: []
|
|
|
|
# Schedule to run ldap2pg regularily, to ensure permissions are up to date
|
|
# This is especially useful when syncing roles from LDAP
|
|
# An empty string disable running the job as a cron
|
|
cron: ""
|
|
|
|
# mode can be dry (no change will be made) or real
|
|
#
|
|
mode: dry
|
|
|
|
# Default config for ldap2pg (except for rules which are handled separately)
|
|
default_config:
|
|
version: 6
|
|
postgres:
|
|
managed_roles_query: |
|
|
VALUES
|
|
('public'),
|
|
('managed_roles')
|
|
|
|
UNION
|
|
|
|
SELECT DISTINCT role.rolname
|
|
FROM pg_roles AS role
|
|
JOIN pg_auth_members AS ms ON ms.member = role.oid
|
|
JOIN pg_roles AS parent
|
|
ON parent.rolname = 'managed_roles' AND parent.oid = ms.roleid
|
|
ORDER BY 1;
|
|
privileges:
|
|
user:
|
|
- __connect__
|
|
- __usage_on_schema__
|
|
reader:
|
|
- user
|
|
- __select_on_tables__
|
|
- __select_on_sequences__
|
|
- __usage_on_sequences__
|
|
writer:
|
|
- reader
|
|
- __temporary__
|
|
- __insert_on_tables__
|
|
- __update_on_tables__
|
|
- __delete_on_tables__
|
|
- __update_on_sequences__
|
|
- __execute_on_functions__
|
|
- __trigger_on_tables__
|
|
owner:
|
|
- writer
|
|
- __create_on_schemas__
|
|
- __truncate_on_tables__
|
|
rewinder:
|
|
- __connect__
|
|
- __execute_on_functions__
|
|
|
|
# Custom config : will be merged on top of default_config
|
|
config: {}
|
|
|
|
# A set of default rules to apply
|
|
default_rules:
|
|
- roles:
|
|
- name: managed_roles
|
|
comment: Parent role for all ldap2pg managed roles
|
|
|
|
- name: ldap_roles
|
|
comment: "Parent role for LDAP synced roles"
|
|
options: NOLOGIN
|
|
parents:
|
|
- managed_roles
|
|
|
|
- name: backup
|
|
comment: "DB backup"
|
|
options: LOGIN REPLICATION
|
|
parents:
|
|
- pg_read_all_data
|
|
- managed_roles
|
|
|
|
- name: dba
|
|
comment: "Databases admins"
|
|
options: SUPERUSER NOLOGIN
|
|
parents:
|
|
- managed_roles
|
|
|
|
- name: rewind
|
|
comment: "Databases rewinder"
|
|
options: LOGIN
|
|
parents:
|
|
- managed_roles
|
|
|
|
- name: monitor
|
|
comment: "Databases monitor"
|
|
options: LOGIN
|
|
parents:
|
|
- managed_roles
|
|
- pg_monitor
|
|
|
|
- name: vault
|
|
comment: "Hashicorp Vault"
|
|
options: SUPERUSER LOGIN
|
|
parents:
|
|
- managed_roles
|
|
|
|
- grant:
|
|
role: vault
|
|
privileges: reader
|
|
databases: postgres
|
|
|
|
- grant:
|
|
role: monitor
|
|
privileges: user
|
|
|
|
- grant:
|
|
role: rewind
|
|
privileges: rewinder
|
|
databases: postgres
|
|
|
|
- grant:
|
|
role: dba
|
|
privileges: owner
|
|
|
|
# Additional custom rules to apply (will be appended to default_rules)
|
|
rules: []
|
|
|
|
# Settings for major upgrades
|
|
upgrade:
|
|
image: danielberteaud/pg-major-upgrade:latest
|
|
|
|
env: {}
|
|
|
|
from: ""
|
|
to: ""
|
|
do_upgrade: false
|
|
|
|
resources:
|
|
cpu: '[[ .pg.server.resources.cpu ]]'
|
|
memory: '[[ .pg.server.resources.memory ]]'
|
|
|
|
# Volumes
|
|
volumes:
|
|
# The data volume is used to store postgres data
|
|
# It'll be opened as single-node-writer, and it's recommended to be a block based volume (eg, iSCSI)
|
|
# The volumes are connected using per_alloc, so the alloc ID will be appended. Eg postgres-data[0], postgres-data[1] etc.
|
|
data:
|
|
type: csi
|
|
source: '[[ .instance ]]-data'
|
|
per_alloc: true
|
|
# Backup volume (can be used for pgbackrest and dumps)
|
|
# Will be opened as multi-node-multi-writer. Can be NFS
|
|
backup:
|
|
type: csi
|
|
source: '[[ .instance ]]-backup'
|
|
access_mode: multi-node-multi-writer
|