(keycloak) Add more config options for cnpg bootstrap #1341

cluster/apps/auth/realms/bloopysphere/db/backup-schedule.yaml

@@ -2,11 +2,11 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: ScheduledBackup
 metadata:
-  name: postgres-v15
-  namespace: database
+  name: backup-schedule-kc-postgres-v1
+  namespace: auth
 spec:
   schedule: "@daily"
   immediate: true
   backupOwnerReference: self
   cluster:
-    name: postgres-v15
+    name: kc-postgres

cluster/apps/auth/realms/bloopysphere/db/cnpg-v15.yaml

@@ -3,7 +3,7 @@ apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
   name: kc-postgres
-  namespace: database
+  namespace: auth
 spec:
   instances: 3
 
@@ -25,6 +25,15 @@ spec:
   superuserSecret:
     name: cloudnative-pg-postgres-superuser
 
+  bootstrap:
+    # https://www.keycloak.org/server/db
+    initdb:
+      owner: keycloak
+      database: keycloak
+      secret:
+        name: kc-postgres-user
+      encoding: 'UTF8'
+
   backup:
     retentionPolicy: 30d
     barmanObjectStore:

cluster/apps/auth/realms/bloopysphere/db/kustomization.yaml

@@ -4,3 +4,6 @@ kind: Kustomization
 resources:
   - ./obc-backup-v1.yaml
   - ./backup-schedule.yaml
+  - ./secret.sops.yaml
+  # - ./prometheus-rule.yaml
+  # - ./cnpg-v15.yaml

cluster/apps/auth/realms/bloopysphere/db/prometheus-rule.yaml

@@ -0,0 +1,68 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/prometheusrule_v1.json
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: kc-cnpg-rules
+  namespace: auth
+  labels:
+    prometheus: k8s
+    role: alert-rules
+spec:
+  groups:
+    - name: cloudnative-pg.rules
+      rules:
+        - alert: LongRunningTransaction
+          annotations:
+            description: Pod {{ $labels.pod }} is taking more than 5 minutes (300 seconds) for a query.
+            summary: A query is taking longer than 5 minutes.
+          expr: |-
+            cnpg_backends_max_tx_duration_seconds > 300
+          for: 1m
+          labels:
+            severity: warning
+        - alert: BackendsWaiting
+          annotations:
+            description: Pod {{ $labels.pod }} has been waiting for longer than 5 minutes
+            summary: If a backend is waiting for longer than 5 minutes
+          expr: |-
+            cnpg_backends_waiting_total > 300
+          for: 1m
+          labels:
+            severity: warning
+        - alert: PGDatabase
+          annotations:
+            description: Over 150,000,000 transactions from frozen xid on pod {{ $labels.pod }}
+            summary: Number of transactions from the frozen XID to the current one
+          expr: |-
+            cnpg_pg_database_xid_age > 150000000
+          for: 1m
+          labels:
+            severity: warning
+        - alert: PGReplication
+          annotations:
+            description: Standby is lagging behind by over 300 seconds (5 minutes)
+            summary: The standby is lagging behind the primary
+          expr: |-
+            cnpg_pg_replication_lag > 300
+          for: 1m
+          labels:
+            severity: warning
+        - alert: LastFailedArchiveTime
+          annotations:
+            description: Archiving failed for {{ $labels.pod }}
+            summary: Checks the last time archiving failed. Will be -1 when it has not failed.
+          expr: |-
+            delta(cnpg_pg_stat_archiver_last_failed_time[5m]) > 0
+          for: 1m
+          labels:
+            severity: warning
+        - alert: DatabaseDeadlockConflicts
+          annotations:
+            description: There are over 10 deadlock conflicts in {{ $labels.pod }}
+            summary: Checks the number of database conflicts
+          expr: |-
+            cnpg_pg_stat_database_deadlocks > 10
+          for: 1m
+          labels:
+            severity: warning

cluster/apps/auth/realms/bloopysphere/db/secret.sops.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: kc-postgres-user
+    namespace: auth
+type: kubernetes.io/basic-auth
+stringData:
+    username: ENC[AES256_GCM,data:lvZhTDjh9z4=,iv:rvTSYKK3qmDoQCnERiIGBV+IHDW+puX9bPMFmrCeIdM=,tag:z6jeqUBsVayWyBdN6cXnhg==,type:str]
+    password: ENC[AES256_GCM,data:+yWSMvkUed0uqAxHw+HtrvIo8iud2VkG7R4vXpk=,iv:vz+9BohoNRt3knBDlicMdIQ+uI+SG5eIUJ/mxETVRuc=,tag:ollXHxvirted1GE09XV93g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hr5v66mq2rtflw8vrzmdlaku48v0j5l2wr58lrdmxqp5decczugs3rr6yt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZXliQnpSRmlPdThhS3I3
+            OW5TenZuWktPSzJZQzRpVEdlVENjd3IwYVJ3Ckc2U1Q1V3lVcnRxNVBFZC9DdXZD
+            QlJ1MHo0VUdlQ1dPclZYUkgvREo3VmsKLS0tIEQ5QS85R0xDcVM0WjVVKzdnaUNE
+            R3ZnRkY3RnNJWS9OalNlTUdST3hvbGsK545ZXuT9jVKKbl+jqhzT6x5JOC+prTjg
+            sIwHVXrS7IZRhrTH4P8lEkuv83cRUKJ/OrqJKzEcnK64lvMUZ037mg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1rp9r7wvsgy6zcl3j4v7kvnrv29sawvqhlm759j9x6zvs0f9ry4kqtmajrq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2VDFuNDNaemJCQmpyeVYy
+            U3ozSTV2OVdjWklqNFo2eEZaeCs0V1kzd0RBCkM0UlNjVTlocTk5L3lHQUxqWEMy
+            YnpPS0dkNW9uUVJoaU44UGVCTFhlcmcKLS0tIGNhTVlyQUNGeXBNd055TjNldnlT
+            U3dseXc0SzYzK0poQWU0MUlrV3F4cmsKQoIt+fIjFnaUQ6oX6sdrG0gzfdcCKmTX
+            +fUptb0JEkcvD+tRESdRtH7kGdp/MzJRzUBx8RgXeVhvm0s5rCScCA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-03-19T16:27:47Z"
+    mac: ENC[AES256_GCM,data:Pf10IBwFNZXdgjY4HiROFnbOM77AU91Yr46F/LG/bDiKgkHOenrSBTPtK3Qb/xu+CiMGtBL5eDXeJQRvW18VFVxgbdq2iblUh+DfpZbfldtjuQEmxTM+dsideapaeH/dGBW13PoJQ+WohPQAcXbSWWMbiFIwxZozcttiWi3Cyd4=,iv:uFvzjXW2bt9vrXLjrBFy3+c5K7pXdeT+/NVbb5AAFP0=,tag:ZdswiykMKtMz0uABTfUp4Q==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1

cluster/apps/auth/realms/bloopysphere/keycloak.yaml

@@ -15,6 +15,6 @@ spec:
       name: keycloak-db-secret
       key: password
   http:
-    tlsSecret: example-tls-secret
+    tlsSecret: tls.${XYZ_DOMAIN/./-}
   hostname:
-    hostname: test.keycloak.org
+    hostname: id.${XYZ_DOMAIN}