apiVersion: v1 kind: ConfigMap metadata: name: postgres-config labels: app: postgres data: postgres-db: postgres postgresql.conf: | max_connections = 700 work_mem = 3MB shared_buffers = 2048MB --- apiVersion: v1 kind: Secret metadata: name: postgres-secret type: Opaque data: postgres-user: bmV4dGNsb3Vk postgres-password: bmV4dGNsb3VkLWRiLXBhc3N3b3Jk --- kind: PersistentVolume apiVersion: v1 metadata: name: postgres-pv-volume labels: type: local spec: storageClassName: manual accessModes: - ReadWriteOnce capacity: storage: 10Gi hostPath: path: /var/postgres --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: postgres-claim labels: app: postgres spec: storageClassName: manual accessModes: - ReadWriteOnce resources: requests: storage: 10Gi --- apiVersion: apps/v1 kind: Deployment metadata: name: postgresql spec: selector: matchLabels: app: postgresql strategy: type: Recreate template: metadata: labels: app: postgresql spec: containers: - image: postgres name: postgresql env: - name: POSTGRES_USER valueFrom: secretKeyRef: name: postgres-secret key: postgres-user - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: postgres-secret key: postgres-password - name: POSTGRES_DB valueFrom: configMapKeyRef: name: postgres-config key: postgres-db ports: - containerPort: 5432 name: postgresql volumeMounts: - name: postgres-config-volume mountPath: /etc/postgresql/postgresql.conf subPath: postgresql.conf readOnly: true - name: postgre-data-volume mountPath: /var/lib/postgresql/data volumes: - name: postgres-config-volume configMap: name: postgres-config - name: postgre-data-volume persistentVolumeClaim: claimName: postgres-claim --- apiVersion: v1 kind: Service metadata: name: postgresql-service spec: selector: app: postgresql ports: - port: 5432 --- kind: PersistentVolume apiVersion: v1 metadata: name: cloud-pv-volume labels: type: local app.kubernetes.io/application: cloud spec: storageClassName: manual accessModes: - ReadWriteOnce capacity: storage: 200Gi hostPath: path: /var/cloud --- apiVersion: v1 kind: Secret metadata: name: cloud-secret type: Opaque data: nextcloud-admin-user: Y2xvdWRhZG1pbg== nextcloud-admin-password: Y2xvdWRwYXNzd29yZA== --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: cloud-pvc labels: app.kubernetes.io/application: cloud spec: storageClassName: manual accessModes: - ReadWriteOnce resources: requests: storage: 200Gi selector: matchLabels: app.kubernetes.io/application: cloud --- apiVersion: apps/v1 kind: Deployment metadata: name: cloud-deployment spec: selector: matchLabels: app.kubernetes.io/name: cloud-pod app.kubernetes.io/application: cloud strategy: type: Recreate template: metadata: labels: app.kubernetes.io/name: cloud-pod app.kubernetes.io/application: cloud redeploy: v3 spec: containers: - image: domaindrivenarchitecture/c4k-cloud name: cloud-app imagePullPolicy: IfNotPresent ports: - containerPort: 80 livenessProbe: exec: command: - /bin/sh - -c - PGPASSWORD=$POSTGRES_PASSWORD psql -h postgresql-service -U $POSTGRES_USER $POSTGRES_DB initialDelaySeconds: 1 periodSeconds: 5 env: - name: NEXTCLOUD_ADMIN_USER valueFrom: secretKeyRef: name: cloud-secret key: nextcloud-admin-user - name: NEXTCLOUD_ADMIN_PASSWORD valueFrom: secretKeyRef: name: cloud-secret key: nextcloud-admin-password - name: NEXTCLOUD_TRUSTED_DOMAINS value: cloudhost - name: POSTGRES_USER valueFrom: secretKeyRef: name: postgres-secret key: postgres-user - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: postgres-secret key: postgres-password - name: POSTGRES_DB valueFrom: configMapKeyRef: name: postgres-config key: postgres-db - name: POSTGRES_HOST value: postgresql-service:5432 volumeMounts: - name: cloud-data-volume mountPath: /var/www/html volumes: - name: cloud-data-volume persistentVolumeClaim: claimName: cloud-pvc --- apiVersion: v1 kind: Service metadata: name: cloud-service labels: app.kubernetes.io/name: cloud-service app.kubernetes.io/application: cloud spec: selector: app.kubernetes.io/name: cloud-pod app.kubernetes.io/application: cloud ports: - port: 80 --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: cloud-cert namespace: default spec: secretName: cloud-secret commonName: cloudhost dnsNames: - cloudhost issuerRef: name: letsencrypt-staging-issuer kind: ClusterIssuer --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-cloud annotations: cert-manager.io/cluster-issuer: letsencrypt-staging-issuer nginx.ingress.kubernetes.io/proxy-body-size: 256m nginx.ingress.kubernetes.io/ssl-redirect: 'true' nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/proxy-connect-timeout: '300' nginx.ingress.kubernetes.io/proxy-send-timeout: '300' nginx.ingress.kubernetes.io/proxy-read-timeout: '300' namespace: default spec: tls: - hosts: - cloudhost secretName: cloud-secret rules: - host: cloudhost http: paths: - path: / pathType: Prefix backend: service: name: cloud-service port: number: 80 --- apiVersion: v1 kind: ConfigMap metadata: name: backup-config labels: app.kubernetes.io/name: backup app.kubernetes.io/part-of: cloud data: restic-repository: s3://k3stesthost:mybucket --- apiVersion: v1 kind: Secret metadata: name: backup-secret type: Opaque data: aws-access-key-id: YXdzLWlk aws-secret-access-key: YXdzLXNlY3JldA== restic-password: cmVzdGljLXBhc3N3b3Jk --- apiVersion: batch/v1 kind: CronJob metadata: name: cloud-backup labels: app.kubernetes.part-of: cloud spec: schedule: 10 23 * * * successfulJobsHistoryLimit: 0 failedJobsHistoryLimit: 0 jobTemplate: spec: template: spec: containers: - name: backup-app image: domaindrivenarchitecture/c4k-cloud-backup imagePullPolicy: IfNotPresent command: - /entrypoint.sh env: - name: POSTGRES_USER_FILE value: /var/run/secrets/cloud-secrets/postgres-user - name: POSTGRES_DB_FILE value: /var/run/secrets/cloud-secrets/postgres-db - name: POSTGRES_PASSWORD_FILE value: /var/run/secrets/cloud-secrets/postgres-password - name: POSTGRES_HOST value: postgresql-service:5432 - name: POSTGRES_SERVICE value: postgresql-service - name: POSTGRES_PORT value: '5432' - name: AWS_DEFAULT_REGION value: eu-central-1 - name: AWS_ACCESS_KEY_ID_FILE value: /var/run/secrets/backup-secrets/aws-access-key-id - name: AWS_SECRET_ACCESS_KEY_FILE value: /var/run/secrets/backup-secrets/aws-secret-access-key - name: RESTIC_REPOSITORY valueFrom: configMapKeyRef: name: backup-config key: restic-repository - name: RESTIC_PASSWORD_FILE value: /var/run/secrets/backup-secrets/restic-password volumeMounts: - name: cloud-data-volume mountPath: /var/backups - name: backup-secret-volume mountPath: /var/run/secrets/backup-secrets readOnly: true - name: cloud-secret-volume mountPath: /var/run/secrets/cloud-secrets readOnly: true volumes: - name: cloud-data-volume persistentVolumeClaim: claimName: cloud-pvc - name: cloud-secret-volume secret: secretName: cloud-secret - name: backup-secret-volume secret: secretName: backup-secret restartPolicy: OnFailure --- apiVersion: apps/v1 kind: Deployment metadata: name: backup-restore spec: replicas: 0 selector: matchLabels: app: backup-restore strategy: type: Recreate template: metadata: labels: app: backup-restore app.kubernetes.io/name: backup-restore app.kubernetes.io/part-of: cloud spec: containers: - name: backup-app image: domaindrivenarchitecture/c4k-cloud-backup imagePullPolicy: IfNotPresent command: - /entrypoint-start-and-wait.sh env: - name: POSTGRES_USER valueFrom: secretKeyRef: name: postgres-secret key: postgres-user - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: postgres-secret key: postgres-password - name: POSTGRES_DB valueFrom: configMapKeyRef: name: postgres-config key: postgres-db - name: POSTGRES_HOST value: postgresql-service:5432 - name: POSTGRES_SERVICE value: postgresql-service - name: POSTGRES_PORT value: '5432' - name: AWS_DEFAULT_REGION value: eu-central-1 - name: AWS_ACCESS_KEY_ID_FILE value: /var/run/secrets/backup-secrets/aws-access-key-id - name: AWS_SECRET_ACCESS_KEY_FILE value: /var/run/secrets/backup-secrets/aws-secret-access-key - name: RESTIC_REPOSITORY valueFrom: configMapKeyRef: name: backup-config key: restic-repository - name: RESTIC_PASSWORD_FILE value: /var/run/secrets/backup-secrets/restic-password volumeMounts: - name: cloud-data-volume mountPath: /var/backups - name: backup-secret-volume mountPath: /var/run/secrets/backup-secrets readOnly: true - name: cloud-secret-volume mountPath: /var/run/secrets/cloud-secrets readOnly: true volumes: - name: cloud-data-volume persistentVolumeClaim: claimName: cloud-pvc - name: cloud-secret-volume secret: secretName: cloud-secret - name: backup-secret-volume secret: secretName: backup-secret