Adding some changes for our env

README.md

@@ -27,3 +27,25 @@ For information regarding the software versions of the components included and K
 The examples provided in this project repository are available subject to the [Apache 2.0](https://github.com/CrunchyData/postgres-operator-examples/blob/-/LICENSE.md) license with the PGO logo and branding assets covered by our [trademark guidelines](https://github.com/CrunchyData/postgres-operator/blob/-/docs/static/logos/TRADEMARKS.md).
 
 The examples as provided in this repo are designed for the use of PGO along with Crunchy Data's Postgres distribution, Crunchy Postgres, as Crunchy Postgres for Kubernetes. The unmodified use of these examples will result in downloading container images from Crunchy Data repositories - specifically the Crunchy Data Developer Portal. The use of container images downloaded from the Crunchy Data Developer Portal are subject to the [Crunchy Data Developer Program terms](https://www.crunchydata.com/developers/terms-of-use).
+
+
+$RHINO_USER_PASSWORD='wq/etO{sk9ulgIqBGz/29.lD'
+
+kubectl create secret generic pgadmin-password-secret -n postgres-operator --from-literal=rhino-password=wq/etO{sk9ulgIqBGz/29.lD
+
+
+kubectl get crd --selector postgres-operator.crunchydata.com/control-plane=postgres-operator
+
+NAME                                                 CREATED AT
+pgadmins.postgres-operator.crunchydata.com           ...
+
+
+PG_CLUSTER_USER_SECRET_NAME=hippo-pguser-rhino
+
+PGPASSWORD=$(kubectl get secrets -n postgres-operator "${PG_CLUSTER_USER_SECRET_NAME}" -o go-template='{{.data.password | base64decode}}') \ e=)
+PGUSER=$(kubectl get secrets -n postgres-operator "${PG_CLUSTER_USER_SECRET_NAME}" -o go-template='{{.data.user | base64decode}}') \ rhino
+PGDATABASE=$(kubectl get secrets -n postgres-operator "${PG_CLUSTER_USER_SECRET_NAME}" -o go-template='{{.data.dbname | base64decode}}') \
+psql -h localhost
+
+kubectl create secret generic pgadmin-password-secret -n postgres-operator --from-literal=rhino-password='e=)w@qst83|l7X}
+

helm/install/values.yaml

@@ -49,7 +49,7 @@ pgoControllerLeaseName: cpk-leader-election-lease
 
 # replicas sets the number of PGO instances.
 # Warning: This should only be greater than 1 if pgoControllerLeaseName is set!
-replicas: 1
+replicas: 2
 
 # imagePullSecretNames is a list of secret names to use for pulling controller images.
 # More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod

kustomize/certmanager/certman/selfsigned-issuer.yaml

@@ -3,5 +3,6 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: selfsigned-issuer
+  namespace: cert-manager
 spec:
   selfSigned: {}

kustomize/high-availability/ha-postgres.yaml

@@ -5,14 +5,16 @@ metadata:
 spec:
   postgresVersion: 16
   instances:
-    - name: pgha1
-      replicas: 2
+    - name: instance1
+      replicas: 3
       dataVolumeClaimSpec:
         accessModes:
         - "ReadWriteOnce"
         resources:
           requests:
             storage: 1Gi
+          limits:
+            storage: 25Gi
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -22,7 +24,7 @@ spec:
               labelSelector:
                 matchLabels:
                   postgres-operator.crunchydata.com/cluster: hippo-ha
-                  postgres-operator.crunchydata.com/instance-set: pgha1
+                  postgres-operator.crunchydata.com/instance-set: instance1
   backups:
     pgbackrest:
       repos:
@@ -36,7 +38,7 @@ spec:
                 storage: 1Gi
   proxy:
     pgBouncer:
-      replicas: 2
+      replicas: 3
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:

kustomize/install/default/kustomization.yaml

@@ -34,4 +34,4 @@ patches:
           - name: operator
             env:
             - name: PGO_FEATURE_GATES
-              value: ""
+              value: "AutoGrowVolumes=true"

kustomize/install/manager/manager.yaml

@@ -4,7 +4,7 @@ kind: Deployment
 metadata:
   name: pgo
 spec:
-  replicas: 1
+  replicas: 2
   strategy: { type: Recreate }
   template:
     spec:

kustomize/keycloak/keycloak.yaml

@@ -22,15 +22,15 @@ spec:
         - name: DB_VENDOR
           value: "postgres"
         - name: DB_ADDR
-          valueFrom: { secretKeyRef: { name: keycloakdb-pguser-keycloakdb, key: host } }
+          valueFrom: { secretKeyRef: { name: hippo-pguser-rhino, key: pgbouncer-host } }
         - name: DB_PORT
-          valueFrom: { secretKeyRef: { name: keycloakdb-pguser-keycloakdb, key: port } }
+          valueFrom: { secretKeyRef: { name: hippo-pguser-rhino, key: pgbouncer-port } }
         - name: DB_DATABASE
-          valueFrom: { secretKeyRef: { name: keycloakdb-pguser-keycloakdb, key: dbname } }
+          valueFrom: { secretKeyRef: { name: hippo-pguser-rhino, key: dbname } }
         - name: DB_USER
-          valueFrom: { secretKeyRef: { name: keycloakdb-pguser-keycloakdb, key: user } }
+          valueFrom: { secretKeyRef: { name: hippo-pguser-rhino, key: user } }
         - name: DB_PASSWORD
-          valueFrom: { secretKeyRef: { name: keycloakdb-pguser-keycloakdb, key: password } }
+          valueFrom: { secretKeyRef: { name: hippo-pguser-rhino, key: password } }
         - name: KEYCLOAK_ADMIN
           value: "admin"
         - name: KEYCLOAK_ADMIN_PASSWORD
@@ -47,3 +47,5 @@ spec:
             path: /realms/master
             port: 8080
       restartPolicy: Always
+
+      Solution:

kustomize/keycloak/postgres.yaml

@@ -3,6 +3,8 @@ kind: PostgresCluster
 metadata:
   name: keycloakdb
 spec:
+  proxy:
+    pgBouncer: {}
   postgresVersion: 16
   instances:
     - replicas: 2
@@ -32,4 +34,4 @@ spec:
             - "ReadWriteOnce"
             resources:
               requests:
-                storage: 1Gi
+                storage: 1Gi

kustomize/pgadmin/kustomization.yaml

@@ -9,8 +9,8 @@ resources:
 secretGenerator:
 - name: pgadmin-password-secret
   literals:
-  - rhino-password=pgadmin
+  - rhino-password="x|9[iMoBy8[^<FWyQ]*|tUH,"
   type: Opaque
 
 generatorOptions:
-  disableNameSuffixHash: true
+  disableNameSuffixHash: true

kustomize/pgadmin/pgadmin.yaml

@@ -4,7 +4,7 @@ metadata:
   name: rhino
 spec:
   users:
-    - username: rhino@example.com
+    - username: rhino@prostarsentertainment.com
       role: Administrator
       passwordRef:
         name: pgadmin-password-secret
@@ -14,7 +14,7 @@ spec:
     - "ReadWriteOnce"
     resources:
       requests:
-        storage: 1Gi
+        storage: 2Gi
   serverGroups:
     - name: supply
       # An empty selector selects all postgresclusters in the Namespace
@@ -39,4 +39,4 @@ spec:
       #    OAUTH2_USERINFO_ENDPOINT: "userinfo"
       #    OAUTH2_SSL_CERT_VERIFICATION: "False" # for testing purposes
       #    OAUTH2_BUTTON_COLOR: "red"   
-      #OAUTH2_AUTO_CREATE_USER : "True"
+      #OAUTH2_AUTO_CREATE_USER : "True"

kustomize/postgres/cert-repl.yaml

@@ -0,0 +1,33 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: hippo-repl-certmanager
+spec:
+  # Secret names are always required.
+  secretName: hippo-repl-tls
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  subject:
+    organizations:
+    - hippo-org
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used.
+  commonName: _crunchyrepl
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  usages:
+    - digital signature
+    - key encipherment
+  # At least one of a DNS Name, URI, or IP address is required.
+  dnsNames:
+  - _crunchyrepl
+  issuerRef:
+    name: ca-issuer
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ClusterIssuer
+    # This is optional since cert-manager will default to this value however
+    # if you are using an external issuer, change this to that issuer group.
+    group: cert-manager.io

kustomize/postgres/cert.yaml

@@ -0,0 +1,36 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: hippo-certmanager
+spec:
+  # Secret names are always required.
+  secretName: hippo-tls
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  subject:
+    organizations:
+    - hippo-org
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used.
+  commonName: hippo-primary
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  usages:
+    - digital signature
+    - key encipherment
+  # At least one of a DNS Name, URI, or IP address is required.
+  dnsNames:
+  - hippo-primary
+  - hippo-primary.postgres-operator
+  - hippo-primary.postgres-operator.svc
+  - hippo-primary.postgres-operator.svc.cluster.local
+  issuerRef:
+    name: ca-issuer
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ClusterIssuer
+    # This is optional since cert-manager will default to this value however
+    # if you are using an external issuer, change this to that issuer group.
+    group: cert-manager.io

kustomize/postgres/decode-cert.md

@@ -0,0 +1,102 @@
+# Decoding TLS Certificates from Kubernetes Secret
+
+This document provides step-by-step instructions to extract and decode the contents of certificates and private keys from a Kubernetes secret.
+
+## Secret Overview
+The Kubernetes secret `hippo-tls` in the namespace `postgres-operator` contains the following data:
+
+- **ca.crt**: Certificate Authority's certificate
+- **tls.crt**: Server's certificate
+- **tls.key**: Server's private key
+
+### Steps to Decode the Certificate and Key
+
+### 1. Get the Secret Data
+Run the following command to view the raw Base64-encoded data:
+```bash
+kubectl get secret hippo-tls -n postgres-operator -o jsonpath='{.data}'
+```
+
+Output example:
+```json
+{"ca.crt":"<Base64_String>","tls.crt":"<Base64_String>","tls.key":"<Base64_String>"}
+```
+
+### 2. Extract and Decode the Data
+Use the following commands to decode each part of the secret:
+
+#### Decode `ca.crt` (CA Certificate):
+```bash
+kubectl get secret hippo-tls -n postgres-operator -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
+```
+
+#### Decode `tls.crt` (Server Certificate):
+```bash
+kubectl get secret hippo-tls -n postgres-operator -o jsonpath='{.data.tls\.crt}' | base64 -d > tls.crt
+```
+
+#### Decode `tls.key` (Server Private Key):
+```bash
+kubectl get secret hippo-tls -n postgres-operator -o jsonpath='{.data.tls\.key}' | base64 -d > tls.key
+```
+
+### 3. View the Decoded Contents
+After decoding, you can view the contents of the files using the following commands:
+
+#### View `ca.crt`:
+```bash
+cat ca.crt
+```
+
+#### View `tls.crt`:
+```bash
+cat tls.crt
+```
+
+#### View `tls.key`:
+```bash
+cat tls.key
+```
+
+### Example Outputs
+
+#### `ca.crt` (Certificate Authority Certificate):
+```
+-----BEGIN CERTIFICATE-----
+[Base64 encoded certificate]
+-----END CERTIFICATE-----
+```
+
+#### `tls.crt` (Server Certificate):
+```
+-----BEGIN CERTIFICATE-----
+[Base64 encoded certificate]
+-----END CERTIFICATE-----
+```
+
+#### `tls.key` (Server Private Key):
+```
+-----BEGIN PRIVATE KEY-----
+[Base64 encoded private key]
+-----END PRIVATE KEY-----
+```
+
+### 4. Verify the Decoded Files
+You can use the `openssl` tool to verify the decoded files:
+
+#### Verify the Certificate:
+```bash
+openssl x509 -in tls.crt -text -noout
+```
+
+#### Verify the Private Key:
+```bash
+openssl rsa -in tls.key -check
+```
+
+### Use Cases
+- The decoded files (`ca.crt`, `tls.crt`, and `tls.key`) can now be used for:
+  - Configuring TLS for `pgBouncer` or `PostgreSQL`.
+  - Testing and debugging certificate and key configurations.
+
+By following these steps, you can successfully decode and retrieve the contents of your certificates and private key from the Kubernetes secret.

kustomize/postgres/kustomization.yaml

@@ -4,4 +4,6 @@ kind: Kustomization
 namespace: postgres-operator
 
 resources:
+- cert.yaml
+- cert-repl.yaml
 - postgres.yaml

kustomize/postgres/lb-pgbouncer.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres-cluster-pgbouncer-loadbalancer
+  namespace: postgres-operator
+  labels:
+    app: postgres-cluster
+  annotations: 
+    io.cilium/lb-ipam-ips: "10.1.80.156"
+spec:
+  type: LoadBalancer
+  selector:
+    postgres-operator.crunchydata.com/cluster: hippo
+    postgres-operator.crunchydata.com/role: pgbouncer
+  ports:
+    - name: postgres
+      protocol: TCP
+      port: 5432
+      targetPort: 5432
+  externalTrafficPolicy: Local