Merge branch 'main' of https://github.com/boettiger-lab/k8s

Author: cboettig

README.md

@@ -15,9 +15,20 @@ Nvidia container toolkit setup
 <https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html>
 
 
+# Tricks
+
+RAM use (etc) of active container (cgroup)
+
+```
+cat /sys/fs/cgroup/memory.max | awk '{printf "%.2f GB\n", $1/1024/1024/1024}'
+cat /sys/fs/cgroup/memory.current | awk '{printf "%.2f GB\n", $1/1024/1024/1024}'
+```
+
 
 ## With external Caddy
 
+(Deprecating)
+
 - Run `K3s` with `--disabled=traefik` (as Caddy will be handling the external network; otherwise this creates conflicts over the http/https ports, 80 & 443).
 - For `jupyterhub`, config needs:
 

postgres/.gitignore

@@ -0,0 +1,7 @@
+# Ignore actual secrets file
+secrets.sh
+
+# Ignore any other local secret files
+*.local
+*.secret
+.env

postgres/README.md

@@ -0,0 +1,162 @@
+# PostgreSQL on Kubernetes
+
+This directory contains the Kubernetes manifests and scripts to deploy PostgreSQL on your cluster.
+
+## Quick Start
+
+1. **Set up secrets:**
+   ```bash
+   cp secrets.sh.example secrets.sh
+   # Edit secrets.sh with your actual password
+   ```
+
+2. **Deploy PostgreSQL:**
+   ```bash
+   chmod +x deploy.sh
+   ./deploy.sh
+   ```
+
+3. **Connect to PostgreSQL:**
+   - From within the cluster: `psql -h postgres-service.postgres.svc.cluster.local -U postgres -d postgres`
+   - From outside (port-forward): `kubectl port-forward service/postgres-service 5432:5432 -n postgres`
+
+4. **Clean up:**
+   ```bash
+   chmod +x cleanup.sh
+   ./cleanup.sh
+   ```
+
+## Files
+
+- `secrets.sh.example` - Template for secrets configuration (copy to `secrets.sh`)
+- `secrets.sh` - Your actual secrets (gitignored, create from example)
+- `.gitignore` - Ensures secrets don't get committed
+- `postgres-pvc.yaml` - Persistent Volume Claim for data storage (10Gi)
+- `postgres-deployment.yaml` - PostgreSQL deployment with health checks
+- `postgres-service.yaml` - Service to expose PostgreSQL within the cluster
+- `deploy.sh` - Script to deploy all resources
+- `cleanup.sh` - Script to remove all resources
+
+## Configuration
+
+### Default Credentials
+
+Credentials are set in your local `secrets.sh` file:
+- **Host:** postgres-service.postgres.svc.cluster.local
+- **Port:** 5432
+- **Database:** Set in `secrets.sh` (default: postgres)
+- **Username:** Set in `secrets.sh` (default: postgres)
+- **Password:** Set in `secrets.sh`
+
+⚠️ **Security Note:** Never commit `secrets.sh` to version control!
+
+### Storage
+- Default storage request: 10Gi
+- Access mode: ReadWriteOnce
+- You may need to specify a `storageClassName` in `postgres-pvc.yaml` depending on your cluster setup
+
+### Resource Limits
+- Memory: 256Mi request, 512Mi limit
+- CPU: 250m request, 500m limit
+
+## Customization
+
+### Changing Credentials
+Edit your local `secrets.sh` file:
+```bash
+export POSTGRES_PASSWORD="your-new-secure-password"
+export POSTGRES_DB="your-database-name"
+export POSTGRES_USER="your-username"
+```
+
+### Storage Class
+If your cluster uses a specific storage class, uncomment and modify the `storageClassName` in `postgres-pvc.yaml`.
+
+### PostgreSQL Version
+To use a different PostgreSQL version, modify the `image` field in `postgres-deployment.yaml`:
+```yaml
+image: postgres:14  # or postgres:13, postgres:16, etc.
+```
+
+## Connection Examples
+
+### From a Pod in the Cluster
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: postgres-client
+  namespace: postgres
+spec:
+  containers:
+  - name: postgres-client
+    image: postgres:17
+    command: ['sh', '-c', 'sleep 3600']
+    env:
+    - name: PGPASSWORD
+      value: "postgres123"
+```
+
+Then exec into the pod:
+```bash
+kubectl exec -it postgres-client -n postgres -- psql -h postgres-service.postgres.svc.cluster.local -U postgres -d postgres
+```
+
+### Environment Variables for Applications
+```yaml
+env:
+- name: DATABASE_URL
+  value: "postgresql://postgres:postgres123@postgres-service.postgres.svc.cluster.local:5432/postgres"
+- name: POSTGRES_HOST
+  value: "postgres-service.postgres.svc.cluster.local"
+- name: POSTGRES_PORT
+  value: "5432"
+- name: POSTGRES_DB
+  value: "postgres"
+- name: POSTGRES_USER
+  value: "postgres"
+- name: POSTGRES_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: postgres-secret
+      key: postgres-password
+```
+
+## Troubleshooting
+
+### Check Pod Status
+```bash
+kubectl get pods -l app=postgres -n postgres
+kubectl describe pod -l app=postgres -n postgres
+```
+
+### Check Logs
+```bash
+kubectl logs -l app=postgres -n postgres
+```
+
+### Check PVC Status
+```bash
+kubectl get pvc postgres-pvc -n postgres
+```
+
+### Test Connection
+```bash
+kubectl run postgres-client --rm -i --tty --image postgres:17 -n postgres -- psql -h postgres-service.postgres.svc.cluster.local -U postgres -d postgres
+```
+
+## High Availability Notes
+
+This setup deploys a single PostgreSQL instance. For production environments, consider:
+
+1. **PostgreSQL Operator** - Use operators like Zalando's PostgreSQL Operator or Crunchy Data PostgreSQL Operator
+2. **Backup Strategy** - Implement automated backups using tools like pgBackRest or Barman
+3. **Monitoring** - Add monitoring with tools like pg_stat_statements and exporters for Prometheus
+4. **Resource Tuning** - Adjust memory and CPU limits based on your workload
+
+## Security Considerations
+
+1. **Change Default Password** - Always change the default password in production
+2. **Network Policies** - Consider implementing Kubernetes Network Policies to restrict access
+3. **TLS** - Configure SSL/TLS for encrypted connections
+4. **RBAC** - Use Kubernetes RBAC to control access to PostgreSQL resources

postgres/cleanup.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# PostgreSQL Kubernetes Cleanup Script
+# This script removes PostgreSQL from your Kubernetes cluster
+
+set -e
+
+echo "🗑️ Removing PostgreSQL from Kubernetes..."
+
+# Remove all PostgreSQL resources
+echo "🗄️ Removing PostgreSQL deployment..."
+kubectl delete -f postgres-deployment.yaml --ignore-not-found=true
+
+echo "🌐 Removing PostgreSQL service..."
+kubectl delete -f postgres-service.yaml --ignore-not-found=true
+
+echo "💾 Removing persistent volume claim..."
+kubectl delete -f postgres-pvc.yaml --ignore-not-found=true
+
+echo "📝 Removing PostgreSQL secret..."
+kubectl delete -f postgres-secret.yaml --ignore-not-found=true
+
+echo "📦 Removing postgres namespace..."
+kubectl delete namespace postgres --ignore-not-found=true
+
+echo "✅ PostgreSQL cleanup completed!"

postgres/deploy.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+
+# PostgreSQL Kubernetes Deployment Script
+# This script deploys PostgreSQL to your Kubernetes cluster
+
+set -e
+
+echo "🚀 Deploying PostgreSQL to Kubernetes..."
+
+# Load secrets from local file
+if [ -f "./secrets.sh" ]; then
+    echo "📝 Loading secrets from secrets.sh..."
+    source ./secrets.sh
+else
+    echo "❌ secrets.sh not found!"
+    echo "Please copy secrets.sh.example to secrets.sh and set your password:"
+    echo "  cp secrets.sh.example secrets.sh"
+    echo "  # Edit secrets.sh with your actual password"
+    exit 1
+fi
+
+# Validate required environment variables
+if [ -z "$POSTGRES_PASSWORD" ]; then
+    echo "❌ POSTGRES_PASSWORD not set in secrets.sh"
+    exit 1
+fi
+
+# Set defaults for optional variables
+POSTGRES_DB=${POSTGRES_DB:-"postgres"}
+POSTGRES_USER=${POSTGRES_USER:-"postgres"}
+
+echo "🔐 Creating PostgreSQL secret with your password..."
+
+# Create namespace if it doesn't exist
+echo "📦 Creating postgres namespace..."
+kubectl create namespace postgres --dry-run=client -o yaml | kubectl apply -f -
+
+# Create secret from environment variables
+echo "� Creating PostgreSQL secret..."
+kubectl create secret generic postgres-secret \
+  --from-literal=postgres-password="$POSTGRES_PASSWORD" \
+  --from-literal=postgres-user="$POSTGRES_USER" \
+  --from-literal=postgres-db="$POSTGRES_DB" \
+  --namespace=postgres \
+  --dry-run=client -o yaml | kubectl apply -f -
+
+# Apply all PostgreSQL manifests
+
+echo " Creating persistent volume claim..."
+kubectl apply -f postgres-pvc.yaml
+
+echo "🗄️ Creating PostgreSQL deployment..."
+kubectl apply -f postgres-deployment.yaml
+
+echo "🌐 Creating PostgreSQL service..."
+kubectl apply -f postgres-service.yaml
+
+echo "⏳ Waiting for PostgreSQL to be ready..."
+kubectl wait --for=condition=available --timeout=300s deployment/postgres -n postgres
+
+echo "✅ PostgreSQL deployment completed!"
+echo ""
+echo "Connection details:"
+echo "  PostgreSQL Host: postgres-service.postgres.svc.cluster.local"
+echo "  PostgreSQL Port: 5432"
+echo "  Database: $POSTGRES_DB"
+echo "  Username: $POSTGRES_USER"
+echo "  Password: [from secrets.sh]"
+echo ""
+echo "To connect from within the cluster:"
+echo "  psql -h postgres-service.postgres.svc.cluster.local -U $POSTGRES_USER -d $POSTGRES_DB"
+echo ""
+echo "To port-forward PostgreSQL for external access:"
+echo "  kubectl port-forward service/postgres-service 5432:5432 -n postgres"
+echo "  Then connect to localhost:5432"

postgres/postgres-deployment.yaml

@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: postgres
+  namespace: postgres
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      containers:
+      - name: postgres
+        image: postgres:17
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 5432
+        env:
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: postgres-secret
+              key: postgres-password
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: postgres-secret
+              key: postgres-user
+        - name: POSTGRES_DB
+          valueFrom:
+            secretKeyRef:
+              name: postgres-secret
+              key: postgres-db
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          name: postgres-storage
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "250m"
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
+        livenessProbe:
+          exec:
+            command:
+              - /bin/sh
+              - -c
+              - exec pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" -h 127.0.0.1 -p 5432
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 6
+        readinessProbe:
+          exec:
+            command:
+              - /bin/sh
+              - -c
+              - -e
+              - |
+                exec pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" -h 127.0.0.1 -p 5432
+                [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 6
+      volumes:
+      - name: postgres-storage
+        persistentVolumeClaim:
+          claimName: postgres-pvc

postgres/postgres-ingress.yaml

@@ -0,0 +1,25 @@
+## NOTE: Assumes cert-manager and external-dns have been set up.
+## Ensure A record exists first if external-dns is not setup
+## cloudflare-proxied specific option to cloudflare, subdomains only, does not support sub.sub domains.
+##
+## This uses Traefik's TCP routing to expose PostgreSQL directly
+## Clients can connect using: psql -h postgres-cirrus.carlboettiger.info -p 5432 -U postgres
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: postgres-tcp-ingress
+  annotations:
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"  # TCP traffic cannot be proxied through Cloudflare
+  labels:
+    app: postgres
+spec:
+  entryPoints:
+    - postgres-tcp  # You'll need to configure this entrypoint in Traefik
+  routes:
+  - match: HostSNI(`postgres-cirrus.carlboettiger.info`)
+    services:
+    - name: postgres-service
+      port: 5432
+  tls:
+    secretName: postgres-tls