Merge 25b1393 into 1f41a85

Author: pulledtim

.gitignore

@@ -0,0 +1,4 @@
+target/**
+it/target/**
+helpers/certs/out/**
+charts/data-space-connector/charts/**

charts/data-space-connector/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: data-space-connector
 description: Umbrella Chart for the FIWARE Data Space Connector, combining all essential parts to be used by a participant.
 type: application
-version: 24.2.27
+version: 24.5.0
 dependencies:
   - name: postgresql
     condition: postgresql.enabled
@@ -74,3 +74,8 @@ dependencies:
     condition: mongodb.enabled
     version: 16.5.21
     repository: oci://registry-1.docker.io/bitnamicharts
+  # operators
+  - name: postgres-operator
+    condition: postgres-operator.enabled
+    version: 1.14.0
+    repository: https://opensource.zalando.com/postgres-operator/charts/postgres-operator

charts/data-space-connector/templates/postgres.yaml

@@ -0,0 +1,40 @@
+{{- if .Values.managedPostgres.enabled }}
+apiVersion: "acid.zalan.do/v1"
+kind: postgresql
+metadata:
+  name: postgres
+  namespace: {{ $.Release.Namespace | quote }}
+  labels:
+    {{- include "dsc.labels" . | nindent 4 }}
+spec:
+  users:
+    admin: # maintainer
+      - superuser
+      - createdb
+    pap:
+      - createdb
+    keycloak:
+      - createdb
+    rainbow:
+      - createdb
+    scorpio:
+      - createdb
+      - superuser # to enable extensions
+  databases: # db: user
+    pap: pap
+    keycloak: keycloak
+    rainbow: rainbow
+    ngb: scorpio
+  patroni:
+    pg_hba: # Allow connections without ssl as db is not exposed
+      - local   all all           trust
+      - hostssl all all 0.0.0.0/0 md5
+      - host    all all 0.0.0.0/0 md5
+  preparedDatabases:
+    ngb:
+      defaultUsers: true
+      extensions:
+        postgis: public
+        timescaledb: public
+{{- toYaml .Values.managedPostgres.config | nindent 2 }}
+{{- end }}

charts/data-space-connector/values.yaml

@@ -435,6 +435,24 @@ elsi:
   # -- password of the key
   keyPassword:
 
+## Installation of the postgres-operator - see https://github.com/zalando/postgres-operator
+postgres-operator:
+  # -- should the postgres-operator be installed
+  enabled: false
+
+## Usage of the postgres-operator - see https://github.com/zalando/postgres-operator
+managedPostgres:
+  # -- should it be enabled? Requires the postgres-operator CRDs to be installed before applying the chart
+  enabled: false
+  # -- config as defined in https://github.com/zalando/postgres-operator/blob/master/charts/postgres-operator/crds/postgresqls.yaml
+  config:
+    teamId: "dsc"
+    volume:
+      size: 1Gi
+    numberOfInstances: 1
+    postgresql:
+      version: "17"
+
 ## configuration of the keycloak - see https://github.com/bitnami/charts/tree/main/bitnami/keycloak for details
 keycloak:
   # -- should it be enabled? set to false if one outside the chart is used.

k3s/infra/postgres-operator/INFO.md

@@ -0,0 +1,3 @@
+## Postgres Operator
+
+The postgres-operator can be installed in your cluster as described [here](https://github.com/zalando/postgres-operator/blob/master/docs/quickstart.md#deployment-options). As ```helm template``` does not normally render the necessary CRDs, include the ```--include-crds``` option when updating this operator

k3s/infra/postgres-operator/clusterrole-postgres-pod.yaml

@@ -0,0 +1,44 @@
+---
+# Source: postgres-operator/templates/clusterrole-postgres-pod.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: postgres-pod
+  labels:
+    app.kubernetes.io/name: postgres-operator
+    helm.sh/chart: postgres-operator-1.14.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/instance: postgres-operator
+rules:
+# Patroni needs to watch and manage config maps or endpoints
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+# Patroni needs to watch pods
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+# to let Patroni create a headless service
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create

k3s/infra/postgres-operator/clusterrole.yaml

@@ -0,0 +1,207 @@
+---
+# Source: postgres-operator/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: postgres-operator
+  labels:
+    app.kubernetes.io/name: postgres-operator
+    helm.sh/chart: postgres-operator-1.14.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/instance: postgres-operator
+rules:
+# all verbs allowed for custom operator resources
+- apiGroups:
+  - acid.zalan.do
+  resources:
+  - postgresqls
+  - postgresqls/status
+  - operatorconfigurations
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+# operator only reads PostgresTeams
+- apiGroups:
+  - acid.zalan.do
+  resources:
+  - postgresteams
+  verbs:
+  - get
+  - list
+  - watch
+# all verbs allowed for event streams
+# to create or get/update CRDs when starting up
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - create
+  - patch
+  - update
+# to send events to the CRs
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+# to manage endpoints/configmaps which are also used by Patroni
+# to read configuration from ConfigMaps
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+# to CRUD secrets for database access
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - patch
+  - update
+# to check nodes for node readiness label
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+# to read or delete existing PVCs. Creation via StatefulSet
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - delete
+  - get
+  - list
+  - patch
+  - update
+ # to read existing PVs. Creation should be done via dynamic provisioning
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+# to watch Spilo pods and do rolling updates. Creation via StatefulSet
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+# to resize the filesystem in Spilo pods when increasing volume size
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
+# to CRUD services to point to Postgres cluster instances
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - patch
+  - update
+# to CRUD the StatefulSet which controls the Postgres cluster instances
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  - deployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+# to CRUD cron jobs for logical backups
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+# to get namespaces operator resources can run in
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+# to define PDBs. Update happens via delete/create
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - get
+# to create ServiceAccounts in each namespace the operator watches
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - create
+# to create role bindings to the postgres-pod service account
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - get
+  - create

k3s/infra/postgres-operator/clusterrolebinding.yaml

@@ -0,0 +1,19 @@
+---
+# Source: postgres-operator/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: postgres-operator
+  labels:
+    app.kubernetes.io/name: postgres-operator
+    helm.sh/chart: postgres-operator-1.14.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/instance: postgres-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: postgres-operator
+subjects:
+- kind: ServiceAccount
+  name: postgres-operator
+  namespace: postgres-operator