push pgbouncer chart

Author: edevosc2c

pgbouncer/.helmignore

@@ -0,0 +1,28 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+
+# Various IDEs
+.project
+.idea/
+*.tmproj
+
+# Builded charts
+values.*.yaml
+*.tgz

pgbouncer/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0.0"
+description: A Helm chart installing pgbouncer in kubernetes
+name: pgbouncer
+version: 1.2.1

pgbouncer/README.md

@@ -0,0 +1,23 @@
+# PgBouncer custom chart
+
+## Configure PgBouncer
+Everything will be done in the helm `values` file.
+
+1. Add your virtual users (authentication) in the list in `config.userlist`.
+2. Configure the main destination PostgreSQL server in `.config.postgresql` (hostname and port).
+3. Configure (mount) the credentials for the databases through `extraVolumeMounts` and `extraVolumes`.  
+  The secret need to have this structure (common structure in C2C):
+  ```
+  dbname: mydatabase
+  host: thehost
+  password: mypassword
+  port: "5432"
+  user: myuser
+  ```
+
+## Fine tune the user permissions
+Please read here what is PostgreSQL HBA: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html. In a nutshell, it allows you to configure advanced permissions for the users.
+
+This will allow us to configure the permissions for our virtual PgBouncer users.
+
+For that uncomment `config.hba` and configure the file based on the documentation linked above.

pgbouncer/templates/_helpers.tpl

@@ -0,0 +1,139 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "pgbouncer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "pgbouncer.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "pgbouncer.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create content for userlist.txt secret
+*/}}
+{{- define "pgbouncer.secret.userlist" }}
+{{- if .Values.config.adminUser }}
+"{{ .Values.config.adminUser }}" "{{ required "A valid .Values.config.adminPassword entry required!" .Values.config.adminPassword }}"
+{{- end }}
+{{- if .Values.config.authUser }}
+"{{ .Values.config.authUser }}" "{{ required "A valid .Values.config.authPassword entry required!" .Values.config.authPassword }}"
+{{- end }}
+{{- range $key, $val := .Values.config.userlist }}
+"{{ $key }}" "{{ $val }}"
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "pgbouncer.serviceAccountName" -}}
+{{- if not .Values.serviceAccount.name -}}
+{{ template "pgbouncer.fullname" . }}
+{{- else -}}
+{{- .Values.serviceAccount.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Contruct and return the image to use
+*/}}
+{{- define "pgbouncer.image" -}}
+{{- if not .Values.image.registry -}}
+{{ printf "%s:%s" .Values.image.repository .Values.image.tag }}
+{{- else -}}
+{{ printf "%s/%s:%s" .Values.image.registry .Values.image.repository .Values.image.tag }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Contruct and return the exporter image to use
+*/}}
+{{- define "pgbouncer.exporterImage" -}}
+{{- if not .Values.pgbouncerExporter.image.registry -}}
+{{ printf "%s:%s" .Values.pgbouncerExporter.image.repository .Values.pgbouncerExporter.image.tag }}
+{{- else -}}
+{{ printf "%s/%s:%s" .Values.pgbouncerExporter.image.registry .Values.pgbouncerExporter.image.repository .Values.pgbouncerExporter.image.tag }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for deployment.
+*/}}
+{{- define "deployment.apiVersion" -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for PodSecurityPolicy kind of objects.
+*/}}
+{{- define "podSecurityPolicy.apiVersion" -}}
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" -}}
+{{- print "policy/v1beta1" -}}
+{{- else -}}
+{{- print "extensions/v1beta1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for PodDisruptionBudget kind of objects.
+*/}}
+{{- define "podDisruptionBudget.apiVersion" -}}
+{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
+{{- print "policy/v1" -}}
+{{- else -}}
+{{- print "policy/v1beta1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for Role kind of objects.
+*/}}
+{{- define "role.apiVersion" -}}
+{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1/Role" -}}
+{{- print "rbac.authorization.k8s.io/v1" -}}
+{{- else -}}
+{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1/Role" -}}
+{{- print "rbac.authorization.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "rbac.authorization.k8s.io/v1alpha1" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for RoleBinding kind of objects.
+*/}}
+{{- define "roleBinding.apiVersion" -}}
+{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1/RoleBinding" -}}
+{{- print "rbac.authorization.k8s.io/v1" -}}
+{{- else -}}
+{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1/RoleBinding" -}}
+{{- print "rbac.authorization.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "rbac.authorization.k8s.io/v1alpha1" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}

pgbouncer/templates/configmap.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "pgbouncer.fullname" . }}-configmap
+  labels:
+    app.kubernetes.io/name: {{ include "pgbouncer.name" . }}
+    helm.sh/chart: {{ include "pgbouncer.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+data:
+  pgbouncer.ini: |
+    [databases]
+    %include /opt/bitnami/pgbouncer/conf/databases.txt
+
+    [pgbouncer]
+    listen_addr = *
+    listen_port = 5432
+    auth_file = /etc/userlist/userlist.txt
+    admin_users = {{ .Values.config.adminUser }}
+{{- if .Values.config.authUser }}
+    auth_user = {{ .Values.config.authUser }}
+{{- end }}
+{{- range $key, $val := .Values.config.pgbouncer }}
+    {{ $key }} = {{ $val }}
+{{- end }}
+{{- if .Values.config.hba }}
+  hba.txt: |
+    {{ .Values.config.hba | nindent 4 }}
+{{- end }}
+  databases.txt: |
+    {{ .Values.config.databases | nindent 4 }}

pgbouncer/templates/deployment.yaml

@@ -0,0 +1,165 @@
+apiVersion: {{ template "deployment.apiVersion" . }}
+kind: Deployment
+metadata:
+  name: {{ include "pgbouncer.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ template "pgbouncer.name" . }}
+    helm.sh/chart: {{ template "pgbouncer.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+  {{ if .Values.updateStrategy -}}
+  strategy: {{ .Values.updateStrategy | toYaml | trimSuffix "\n" | nindent 4 }}
+  {{ end -}}
+  {{ if .Values.minReadySeconds -}}
+  minReadySeconds: {{ .Values.minReadySeconds }}
+  {{ end -}}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "pgbouncer.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ template "pgbouncer.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- if .Values.podLabels }}
+        {{ range $key, $value := .Values.podLabels -}}
+        {{ $key }}: {{ $value | quote }}
+        {{- end -}}
+        {{- end }}
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- if .Values.pgbouncerExporter.enabled }}
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "{{ .Values.pgbouncerExporter.port }}"
+        prometheus.io/path: "/metrics"
+        {{- end }}
+        {{ range $key, $value := .Values.podAnnotations -}}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
+    spec:
+      serviceAccountName: {{ template "pgbouncer.serviceAccountName" . }}
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      {{ if .Values.nodeSelector -}}
+      nodeSelector: {{ toYaml .Values.nodeSelector | trimSuffix "\n" | nindent 8 }}
+      {{ end -}}
+      {{ if .Values.tolerations -}}
+      tolerations: {{ toYaml .Values.tolerations | trimSuffix "\n" | nindent 6 }}
+      {{ end -}}
+      {{ if .Values.affinity -}}
+      affinity: {{ toYaml .Values.affinity | trimSuffix "\n" | nindent 8 }}
+      {{ end -}}
+      {{ if .Values.priorityClassName -}}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{ end -}}
+      {{ if .Values.runtimeClassName -}}
+      runtimeClassName: {{ .Values.runtimeClassName }}
+      {{ end -}}
+      {{ if len .Values.imagePullSecrets -}}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | trimSuffix "\n" | nindent 6 }}
+      {{ end -}}
+      {{ if .Values.extraInitContainers -}}
+      initContainers: {{ toYaml .Values.extraInitContainers | trimSuffix "\n" | nindent 6 }}
+      {{ end -}}
+      containers:
+      - name: pgbouncer
+        image: {{ template "pgbouncer.image" . }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        lifecycle:
+          postStart:
+            exec:
+              command: 
+                - '/bin/sh'
+                - '-c'
+                - >
+                  until pids=$(pidof pgbouncer); do
+                    sleep 1
+                  done;
+                  for db_name in /etc/secrets-db/*; do
+                    cd $db_name
+                    echo "$(cat dbname) = host={{ .Values.config.postgresql.host }} port={{ .Values.config.postgresql.port }} dbname=$(cat dbname) user=$(cat user) password=$(cat password)" >> /opt/bitnami/pgbouncer/conf/databases.txt
+                  done;
+                  kill -1 1
+        env:
+          - name: POSTGRESQL_HOST
+            value: "{{ .Values.config.postgresql.host }}"
+          - name: POSTGRESQL_PORT
+            value: "{{ .Values.config.postgresql.port }}"
+          - name: PGBOUNCER_PORT
+            value: "{{ .Values.config.postgresql.port }}"
+          - name: POSTGRESQL_PASSWORD
+            value: "0"
+        {{- if .Values.extraEnvs }}
+        {{ toYaml .Values.extraEnvs | trimSuffix "\n" | nindent 10 }}
+        {{- end }}
+        ports:
+        - name: psql
+          containerPort: 5432
+          protocol: TCP
+        readinessProbe:
+          tcpSocket:
+            port: 5432
+          initialDelaySeconds: 10
+          periodSeconds: 5
+        livenessProbe:
+          tcpSocket:
+            port: 5432
+          initialDelaySeconds: 60
+          periodSeconds: 10
+        {{- if .Values.resources }}
+        resources: {{ toYaml .Values.resources | trimSuffix "\n" | nindent 10 }}
+        {{- end }}
+        volumeMounts:
+        - name: config
+          mountPath: /bitnami/pgbouncer/conf/
+        - name: userlist
+          mountPath: /etc/userlist/
+        {{- if .Values.extraVolumeMounts -}}
+        {{ toYaml .Values.extraVolumeMounts | trimSuffix "\n" | nindent 8 }}
+        {{- end }}
+      {{- if .Values.pgbouncerExporter.enabled }}
+      - name: exporter
+        image: {{ template "pgbouncer.exporterImage" . }}
+        imagePullPolicy: {{ .Values.pgbouncerExporter.image.pullPolicy }}
+        args:
+        - --web.listen-address=:{{ .Values.pgbouncerExporter.port }}
+        - --web.telemetry-path=/metrics
+        - --log.level={{ .Values.pgbouncerExporter.log.level }}
+        - --log.format={{ .Values.pgbouncerExporter.log.format }}
+        - --pgBouncer.connectionString=postgres://$(PGBOUNCER_USER):$(PGBOUNCER_PASS)@127.0.0.1:5432/pgbouncer?sslmode=disable&connect_timeout=10
+        env:
+        - name: PGBOUNCER_USER
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pgbouncer.fullname" . }}-secret
+              key: adminUser
+        - name: PGBOUNCER_PASS
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pgbouncer.fullname" . }}-secret
+              key: adminPassword
+        {{- if .Values.pgbouncerExporter.resources }}
+        resources: {{ toYaml .Values.pgbouncerExporter.resources | trimSuffix "\n" | nindent 10 }}
+        {{- end }}
+        ports:
+        - name: exporter
+          containerPort: {{ .Values.pgbouncerExporter.port }}
+          protocol: TCP
+      {{- end }}
+      {{ if .Values.extraContainers -}}
+      {{ toYaml .Values.extraContainers | trimSuffix "\n" | indent 6 | trimPrefix "      " }}
+      {{ end -}}
+      volumes:
+      - name: config
+        configMap:
+          defaultMode: 0777
+          name: {{ template "pgbouncer.fullname" . }}-configmap
+      - name: userlist
+        secret:
+          secretName: {{ template "pgbouncer.fullname" . }}-userlist-secret
+      {{- if .Values.extraVolumes -}}
+      {{ toYaml .Values.extraVolumes | trimSuffix "\n" | nindent 6 }}
+      {{ end -}}