92 lines
3.1 KiB
HCL
92 lines
3.1 KiB
HCL
resource "kubectl_manifest" "authentik_postgresql" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: "acid.zalan.do/v1"
|
|
kind: "postgresql"
|
|
metadata:
|
|
name: "${var.instance}-${var.component}"
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.common-labels)}
|
|
spec:
|
|
databases:
|
|
${var.component}: "${var.component}"
|
|
numberOfInstances: ${var.postgres.replicas}
|
|
podAnnotations:
|
|
"k8up.io/backupcommand": "pg_dump -U postgres -d ${var.component} --clean"
|
|
"k8up.io/file-extension": ".sql"
|
|
postgresql:
|
|
version: "${var.postgres.version}"
|
|
teamId: "${var.instance}"
|
|
users:
|
|
${var.component}:
|
|
- "superuser"
|
|
- "createdb"
|
|
volume:
|
|
size: "${var.postgres.storage}"
|
|
EOF
|
|
}
|
|
|
|
// Since each authentik worker create a new connection to the DB
|
|
// lots of logs are created mesuring in GBs of junk
|
|
// So a dayly cleanup make sense
|
|
resource "kubectl_manifest" "authentik_cleanup_logs_script" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: "${var.instance}-${var.component}-cleanlogs"
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.common-labels)}
|
|
data:
|
|
"clean.sh": |-
|
|
#!/bin/ash
|
|
grep log /pgdata/pgroot/data/postgresql.conf|grep conn
|
|
echo "$(date '+%T') - Enforcing configuration"
|
|
sed -i "s/^log_connections.*/log_connections = 'off'/;s/^log_disconnections.*/log_disconnections = 'off'/" /pgdata/pgroot/data/postgresql.conf
|
|
grep log /pgdata/pgroot/data/postgresql.conf|grep conn
|
|
for i in /pgdata/pgroot/pg_log/*csv;do echo "$(date '+%T') - Cleaning $i";sed -i '/connection/d' "$i";done
|
|
df -h /pgdata/pgroot
|
|
EOF
|
|
}
|
|
resource "kubectl_manifest" "authentik_cleanup_logs_job" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
name: "${var.instance}-${var.component}-cleanlogs"
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.common-labels)}
|
|
spec:
|
|
concurrencyPolicy: Forbid
|
|
failedJobsHistoryLimit: 1
|
|
jobTemplate:
|
|
spec:
|
|
template:
|
|
spec:
|
|
restartPolicy: OnFailure
|
|
containers:
|
|
- image: "${var.postgres.cleanlogs.image}"
|
|
imagePullPolicy: IfNotPresent
|
|
name: cleanlogs
|
|
command: ["/bin/ash"]
|
|
args: ["/script/clean.sh"]
|
|
volumeMounts:
|
|
- mountPath: /pgdata
|
|
name: pgdata
|
|
- mountPath: /script
|
|
name: script
|
|
securityContext:
|
|
fsGroup: 100
|
|
runAsGroup: 100
|
|
runAsUser: 405
|
|
volumes:
|
|
- name: script
|
|
configMap:
|
|
name: ${kubectl_manifest.authentik_cleanup_logs_script.name}
|
|
- name: pgdata
|
|
persistentVolumeClaim:
|
|
claimName: pgdata-${var.instance}-${var.component}-0
|
|
schedule: "${var.postgres.cleanlogs.schedule}"
|
|
successfulJobsHistoryLimit: 3
|
|
EOF
|
|
}
|