(kc-pg) Add first cnpg cluster #1341

.gitignore

@@ -47,4 +47,5 @@ infrastructure/bare-metal/*
 infrastructure/shared/networks.yaml
 infrastructure/terraform/vault/*
 *volsync-config.yaml
-cluster/apps/auth/realms/*
+cluster/apps/auth/realms/bloopysphere/keycloak.yaml
+cluster/apps/auth/realms/bloopysphere/certificate.yaml

cluster/apps/auth/kustomization.yaml

@@ -2,5 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  # - keycloak
+  - keycloak
   - authentik

cluster/apps/auth/realms/bloopysphere/db/README.md

@@ -0,0 +1,3 @@
+# Database
+
+For this instance I am using [cloudnative-pg](https://github.com/cloudnative-pg/cloudnative-pg) for the postgres database. The backing storage will just be `local-path` as it is kind of wasteful to use ceph for backing storage since the cnpg operator will be replicating it anyway. Backups will be done into a ceph-rgw object-store. For this an `ObjectBucketClaim` is created. The `rook-ceph-operator` will provision the bucket and then add a configMap and secret to the bucket namespace which will contain credentials that can be used by the backup process. See [ObjectBucketClaim Documentation](https://rook.io/docs/rook/v1.9/Storage-Configuration/Object-Storage-RGW/ceph-object-bucket-claim/)

cluster/apps/auth/realms/bloopysphere/db/backup-schedule.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: postgres-v15
+  namespace: database
+spec:
+  schedule: "@daily"
+  immediate: true
+  backupOwnerReference: self
+  cluster:
+    name: postgres-v15

cluster/apps/auth/realms/bloopysphere/db/cnpg-v15.yaml

@@ -0,0 +1,44 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: kc-postgres
+  namespace: database
+spec:
+  instances: 3
+
+  imageName: ghcr.io/cloudnative-pg/postgresql:15.2
+
+  primaryUpdateStrategy: unsupervised
+
+  storage:
+    size: 5Gi
+    storageClass: local-path
+  postgresql:
+    parameters:
+      max_connections: "300"
+      shared_buffers: 512MB
+
+  monitoring:
+    enablePodMonitor: true
+
+  superuserSecret:
+    name: cloudnative-pg-postgres-superuser
+
+  backup:
+    retentionPolicy: 30d
+    barmanObjectStore:
+      wal:
+        compression: bzip2
+        maxParallel: 5
+      destinationPath: s3://cnpg/v15/v1
+      endpointURL: http://rook-ceph-rgw-ceph-objectstore.rook-ceph.svc.cluster.local
+      s3Credentials:
+        accessKeyId:
+          name: cloudnative-pg-postgres-s3
+          key: S3_ACCESS_KEY
+        secretAccessKey:
+          name: cloudnative-pg-postgres-s3
+          key: S3_SECRET_KEY
+
+  externalClusters: []

cluster/apps/auth/realms/bloopysphere/db/obc-backup-v1.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: objectbucket.io/v1alpha1
+kind: ObjectBucketClaim
+metadata:
+  name: cnpg-kc-backup-v1
+  namespace: auth
+spec:
+  generateBucketName: kc-postgres-backup
+  storageClassName: rook-ceph-bucket
+  additionalConfig:
+    maxObjects: "1000"
+    maxSize: "2G"

cluster/apps/auth/realms/bloopysphere/keycloak.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: k8s.keycloak.org/v2alpha1
+kind: Keycloak
+metadata:
+  name: example-kc
+spec:
+  instances: 1
+  db:
+    vendor: postgres
+    host: postgres-db
+    usernameSecret:
+      name: keycloak-db-secret
+      key: username
+    passwordSecret:
+      name: keycloak-db-secret
+      key: password
+  http:
+    tlsSecret: example-tls-secret
+  hostname:
+    hostname: test.keycloak.org

cluster/apps/auth/realms/bloopysphere/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # - ./certificate.yaml
+  - ./db

cluster/apps/auth/realms/kustomizations.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./bloopysphere