black-start cnpg replication config

2026-03-17 20:08:03 -04:00
parent d26192d28e
commit 425f9ee792
6 changed files with 133 additions and 2 deletions
--- a/kubernetes/manifests/cnpg.nix
+++ b/kubernetes/manifests/cnpg.nix
@@ -0,0 +1,108 @@
+{
+  services.k3s.manifests = {
+    "objectstore.yaml".content = {
+      apiVersion = "barmancloud.cnpg.io/v1";
+      kind = "ObjectStore";
+      metadata.name = "truenas-s3";
+      metadata.namespace = "cloudnativepg";
+      spec = {
+        configuration = {
+          destinationPath = "s3://weyma-talos-shared-pgsql-new/";
+          endpointURL = "http://10.105.15.20:9000";
+          s3Credentials = {
+            accessKeyId = {
+              key = "s3AccessKey";
+              name = "s3-backup-creds";
+            };
+            secretAccessKey = {
+              key = "s3SecretKey";
+              name = "s3-backup-creds";
+            };
+          };
+        };
+      };
+    };
+    "pg-cluster.yaml".content = {
+      apiVersion = "postgresql.cnpg.io/v1";
+      kind = "Cluster";
+      metadata.name = "weyma-bs-pgsql";
+      metadata.namespace = "cloudnativepg";
+      spec = {
+        instances = 1;
+        imageName = "ghcr.io/cloudnative-pg/postgresql:16.9-5-bullseye";
+        storage = {
+          size = "50Gi";
+          storageClass = "local-path";
+        };
+        plugins = [
+          {
+            name = "barman-cloud.cloudnative-pg.io";
+            parameters.barmanObjectName = "truenas-s3";
+          }
+        ];
+        bootstrap.recovery.source = "weyma-pgsql";
+        externalClusters = [
+          {
+            name = "weyma-bs-pgsql";
+            plugin = {
+              name = "barman-cloud.cloudnative-pg.io";
+              parameters = {
+                barmanObjectName = "truenas-s3";
+                serverName = "weyma-bs-pgsql";
+              };
+            };
+          }
+          {
+            name = "weyma-pgsql";
+            connectionParameters = {
+              host = "10.105.10.24";
+              user = "streaming_replica";
+              dbname = "postgres";
+              sslmode = "require";
+            };
+            plugin = {
+              name = "barman-cloud.cloudnative-pg.io";
+              parameters = {
+                barmanObjectName = "truenas-s3";
+                serverName = "weyma-pgsql";
+              };
+            };
+            sslKey = {
+              name = "weyma-pgsql-replication";
+              key = "tls.key";
+            };
+            sslCert = {
+              name = "weyma-pgsql-replication";
+              key = "tls.crt";
+            };
+            sslRootCert = {
+              name = "weyma-pgsql-ca";
+              key = "ca.crt";
+            };
+          }
+        ];
+        replica = {
+          primary = "weyma-pgsql";
+          source = "weyma-pgsql";
+        };
+        managed.services.additional = [
+          {
+            selectorType = "rw";
+            serviceTemplate = {
+              metadata.name = "weyma-bs-pgsql-ext";
+              spec.type = "LoadBalancer";
+            };
+          }
+        ];
+      };
+    };
+    "weyma-pgsql-ca.yaml".content = {
+      apiVersion = "v1";
+      kind = "Secret";
+      metadata.name = "weyma-pgsql-ca";
+      metadata.namespace = "cloudnativepg";
+      # this is fine to be in plaintext since it's just a cert and contains no key
+      data."ca.crt" = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJtekNDQVVLZ0F3SUJBZ0lRUjMzT3F3OTJKbDlmeXFzMkZyREd0akFLQmdncWhrak9QUVFEQWpBdU1SWXcKRkFZRFZRUUxFdzFqYkc5MVpHNWhkR2wyWlhCbk1SUXdFZ1lEVlFRREV3dDNaWGx0WVMxd1ozTnhiREFlRncweQpOVEV5TWpnd01URTROVEZhRncweU5qQXpNamd3TVRFNE5URmFNQzR4RmpBVUJnTlZCQXNURFdOc2IzVmtibUYwCmFYWmxjR2N4RkRBU0JnTlZCQU1UQzNkbGVXMWhMWEJuYzNGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMEQKQVFjRFFnQUU5c1R4R0tLNWdRVnhmZzNkZWtlbHpFSGlMbG5GaHBZa1hTMzJSYlphV0llZ3ZWWk11cC9TRmU4YQoyai92TWdETldpZVJWcHBTVElBeml0YUxQYXdvSktOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdJRU1BOEdBMVVkCkV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRysxclg2aUgwaG50bE0yaEpXdnpGaW9peTZGTUFvR0NDcUcKU000OUJBTUNBMGNBTUVRQ0lBeXhPS3VGVFhhQUJwaGhJZDI0VXZkU0FLTytPanpIZStvbVJYeDdqbTJOQWlCbAo1TVc0MDZzU3haTDgydTFtL2J3V0JXQWZPTWhLNXVlYmIyemR3QzE0Vmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==";
+    };
+  };
+}
--- a/kubernetes/manifests/default.nix
+++ b/kubernetes/manifests/default.nix
@@ -1,5 +1,6 @@
 {
    imports = [
        ./test.nix
+        ./cnpg.nix
    ];
 }
--- a/kubernetes/secrets/cloudnativepg/weyma-pgsql-replication.nix
+++ b/kubernetes/secrets/cloudnativepg/weyma-pgsql-replication.nix
@@ -0,0 +1,18 @@
+{ config, ... }:
+{
+  sops.templates."weyma-pgsql-replication.yaml" = {
+    mode = "0444";
+    content = ''
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: weyma-pgsql-replication
+        namespace: cloudnativepg
+      type: Opaque
+      data:
+        tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJuVENDQVVTZ0F3SUJBZ0lRVEcvaEhOSG5IeGxQVzdtTGI5akIxekFLQmdncWhrak9QUVFEQWpBdU1SWXcKRkFZRFZRUUxFdzFqYkc5MVpHNWhkR2wyWlhCbk1SUXdFZ1lEVlFRREV3dDNaWGx0WVMxd1ozTnhiREFlRncweQpOVEV5TWpnd01URTROVEZhRncweU5qQXpNamd3TVRFNE5URmFNQnd4R2pBWUJnTlZCQU1NRVhOMGNtVmhiV2x1CloxOXlaWEJzYVdOaE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRWVRQzVjb2pzUDMwUTZGcnMKS1draTBjRHpDSkk1eVNoS25PaURRR24yQ1FtNEhmaWRGd3V6cFBOdWlaUHk4TjFmNFRzRlJwNy8ybDhSeUd0OQovWjhUMWFOV01GUXdEZ1lEVlIwUEFRSC9CQVFEQWdPSU1CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQXdHCkExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVYjdXdGZxSWZTR2UyVXphRWxhL01XS2lMTG9Vd0NnWUkKS29aSXpqMEVBd0lEUndBd1JBSWdWeG5OeEVBM3lGYVdRZk1JTDAxKzB2RXBiZVBGcElNdkkxVkNTT3Z2QzhvQwpJR3k4MVVwYmFucVVRdUd6alJjZmxYWDdrSjRqcUlhUWFWUUE0SmRNNzFpQQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        tls.key: ${config.sops.placeholder.weyma_pgsql_replication_tls_key}
+    '';
+    path = "/var/lib/rancher/k3s/server/manifests/secrets/weyma-pgsql-replication.yaml";
+  };
+}
--- a/kubernetes/secrets/default.nix
+++ b/kubernetes/secrets/default.nix
@@ -1,5 +1,6 @@
 {
  imports = [
    ./cloudnativepg/s3-backup-creds.nix
+    ./cloudnativepg/weyma-pgsql-replication.nix
  ];
 }