mirror of
https://github.com/holos-run/holos.git
synced 2026-03-19 16:54:58 +00:00
0e98ad2ecb
This patch configures backups suitable to support the [Streaming Standby with an External Repo][0] architecture. - [x] PGO [Multiple Backup Repositories][1] to k8s pv and s3. - [x] [Encryption][2] of backups to S3. - [x] [Remove SUPERUSER][3] role from zitadel-admin pg user to work with pgbouncer. Resolves zitadel-init job failure. - [x] Take a [Manual Backup][5] [0]: https://access.crunchydata.com/documentation/postgres-operator/latest/architecture/disaster-recovery#streaming-standby-with-an-external-repo [1]: https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/backups-disaster-recovery/backups#set-up-multiple-backup-repositories [2]: https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/backups-disaster-recovery/backups#encryption [3]: https://github.com/CrunchyData/postgres-operator/issues/3095#issuecomment-1904712211 [4]: https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/backups-disaster-recovery/disaster-recovery#streaming-standby-with-an-external-repo [5]: https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/backups-disaster-recovery/backup-management#taking-a-one-off-backup
63 lines
1.7 KiB
CUE
63 lines
1.7 KiB
CUE
package holos
|
|
|
|
#PlatformCerts: {
|
|
// Globally scoped platform services are defined here.
|
|
login: #PlatformCert & {
|
|
_name: "login"
|
|
_wildcard: true
|
|
_description: "Cert for Zitadel oidc identity provider for iam services"
|
|
}
|
|
|
|
// Cluster scoped services are defined here.
|
|
for cluster in #Platform.clusters {
|
|
"\(cluster.name)-httpbin": #ClusterCert & {
|
|
_name: "httpbin"
|
|
_cluster: cluster.name
|
|
_description: "Test endpoint to verify the service mesh ingress gateway"
|
|
}
|
|
}
|
|
}
|
|
|
|
// #PlatformCert provisions a cert in the provisioner cluster.
|
|
// Workload clusters use ExternalSecret resources to fetch the Secret tls key and cert from the provisioner cluster.
|
|
#PlatformCert: #Certificate & {
|
|
_name: string
|
|
_wildcard: true | *false
|
|
metadata: name: string | *_name
|
|
metadata: namespace: string | *"istio-ingress"
|
|
spec: {
|
|
commonName: string | *"\(_name).\(#Platform.org.domain)"
|
|
if _wildcard {
|
|
dnsNames: [commonName, "*.\(commonName)"]
|
|
}
|
|
if !_wildcard {
|
|
dnsNames: [commonName]
|
|
}
|
|
secretName: metadata.name
|
|
issuerRef: kind: "ClusterIssuer"
|
|
issuerRef: name: string | *"letsencrypt"
|
|
}
|
|
}
|
|
|
|
// #ClusterCert provisions a cluster specific certificate.
|
|
#ClusterCert: #Certificate & {
|
|
_name: string
|
|
_cluster: string
|
|
_wildcard: true | *false
|
|
// Enforce this value
|
|
metadata: name: "\(_cluster)-\(_name)"
|
|
metadata: namespace: string | *"istio-ingress"
|
|
spec: {
|
|
commonName: string | *"\(_name).\(_cluster).\(#Platform.org.domain)"
|
|
if _wildcard {
|
|
dnsNames: [commonName, "*.\(commonName)"]
|
|
}
|
|
if !_wildcard {
|
|
dnsNames: [commonName]
|
|
}
|
|
secretName: metadata.name
|
|
issuerRef: kind: "ClusterIssuer"
|
|
issuerRef: name: string | *"letsencrypt"
|
|
}
|
|
}
|