├── .env.template ├── .gitattributes ├── .github ├── pull_request_template.md └── workflows │ ├── chart-check-docs.yml │ └── release-charts.yml ├── .gitignore ├── .pre-commit-config.yaml ├── LICENSE.md ├── PRODUCTION.md ├── README.md ├── examples ├── otel-prometheus-setup │ ├── README.md │ └── peerdb-telemetry │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ └── values.yaml └── production-with-gitops │ ├── README.md │ ├── peerdb-enterprise-catalog │ ├── .helmignore │ ├── Chart.yaml │ ├── templates │ │ ├── creds.default.external-secret.yaml │ │ └── ssl.external-secret.yaml │ └── values.yaml │ └── peerdb-enterprise │ ├── .helmignore │ ├── Chart.yaml │ ├── templates │ ├── creds.peerdb.external-secret.yaml │ ├── creds.temporal.default.external-secret.yaml │ └── creds.temporal.visibility.external-secret.yaml │ └── values.yaml ├── images └── banner.jpg ├── install_catalog.sh ├── install_peerdb.sh ├── peerdb-catalog ├── .helmignore ├── Chart.yaml ├── README.md ├── aws-ca-bundle.pem ├── pgSetup │ ├── .gitignore │ ├── Makefile │ ├── go.mod │ ├── go.sum │ └── main.go ├── templates │ ├── _helpers.tpl │ ├── catalog-postgres-cluster.yaml │ ├── catalog-ssl-certificate-secret.yaml │ ├── customer-values-secret.yaml │ ├── setup-catalog-schema-jobs.yaml │ ├── setup-postgres-job.yaml │ └── tests │ │ └── schema-version-test.yaml ├── values.customer.yaml └── values.yaml ├── peerdb ├── .helmignore ├── Chart.yaml ├── README.md ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── auth-deployment.yaml │ ├── auth-service.yaml │ ├── authentication-healthcheck-config.yaml │ ├── authentication-htpasswd-secret.yaml │ ├── authentication-nginx-config.yaml │ ├── authentication │ │ ├── _helpers.tpl │ │ ├── healthcheck.sh.tmpl │ │ ├── httpaswd.tmpl │ │ └── nginx.conf.tpl │ ├── catalog-secrets.yaml │ ├── customer-values-secret.yaml │ ├── flow-api-deployment.yaml │ ├── flow-api-service.yaml │ ├── flow-snapshot-service.yaml │ ├── flow-snapshot-worker-stateful-set.yaml │ ├── flow-worker-deployment.yaml │ ├── mirror-name-search-attribute-job.yaml │ ├── peerdb-server-deployment.yaml │ ├── peerdb-server-service.yaml │ ├── peerdb-server-ui-secret.yaml │ ├── peerdb-ui-deployment.yaml │ ├── peerdb-ui-ingress.yaml │ ├── peerdb-ui-service.yaml │ ├── register-namespace-job.yaml │ └── service-account.yaml ├── values.customer.yaml └── values.yaml ├── port_forward_catalog.sh ├── renovate.json ├── setup_postgres.sh ├── setup_temporal_schema.sh ├── test_catalog.sh ├── utils ├── connect_catalog.sh ├── connect_peerdb.sh ├── tctl.sh └── temporal-port-forward.sh ├── values_catalog.sh └── values_peerdb.sh /.env.template: -------------------------------------------------------------------------------- 1 | # ADMIN DATABASE CONNECTION INFO 2 | # Postgres used for catalog, visibility and temporal history. 3 | PG_HOST= # not required if using in-cluster postgres 4 | PG_PORT=5432 5 | PG_USER=postgres 6 | PG_PASSWORD= # not required if using in-cluster postgres 7 | PG_DATABASE=postgres 8 | PG_RDS_SSL_ENABLED=false # If using RDS catalog specifically, it will auto-pick up the certificate required for SSL 9 | 10 | # TEMPORAL DATABASE SETTINGS 11 | # The following variables dictate the name of the user and databases that will 12 | # be created in Postgres to be used by Temporal. These are all required. Edit 13 | # these to your liking. 14 | 15 | # These are irrelevant for Temporal Cloud. 16 | TEMPORAL_USER=temporal-pg-user 17 | TEMPORAL_PASSWORD=temporal-pg-password # not required if using in-cluster postgres 18 | 19 | # DO NOT CHANGE THESE. 20 | # These are used by temporal and currently hardcoded for Postgres. 21 | TEMPORAL_DB=temporal 22 | TEMPORAL_VISIBILITY_DB=temporal_visibility 23 | 24 | TEMPORAL_SSL_MODE=false # Should be false if using in-cluster catalog, set true for RDS etc. 25 | # TEMPORAL_SSL_CA_CERT_PATH=./aws-ca-bundle.pem 26 | 27 | 28 | # PEERDB SETTINGS 29 | # env variables for peerdb deployment 30 | PEERDB_VERSION=stable-v0.22.1 31 | # name of the database that will be used by peerdb. 32 | PEERDB_CATALOG_DATABASE=peerdb_catalog_db 33 | PEERDB_CATALOG_CREDS_SECRET_NAME=catalog-db-manual-creds 34 | PEERDB_RELEASE_NAME=peerdb-rel 35 | PEERDB_K8S_NAMESPACE=peerdb-ns 36 | PEERDB_PASSWORD=peerdb 37 | PEERDB_UI_PASSWORD=peerdb 38 | PEERDB_UI_NEXTAUTH_SECRET=R5f6vc1@6@@VZABJ8t0gYhhKLgAAchrTLaRrkVRY # !! CHANGE THIS TO A NEW RANDOMLY GENERATED STRING !! 39 | PEERDB_UI_SERVICE_URL= #Add the external IP/DNS from where PeerDB UI is being accessed. eg. http://aws.loadbalancer.cname:3000 40 | SERVICE_ACCOUNT_NAME=peerdb-sa 41 | 42 | 43 | # TEMPORAL SETTINGS 44 | # For Self-Hosted Temporal, the namespace is 'default'. 45 | # For Temporal Cloud, set it to your Temporal Namespace name. This will be of the form nmspc.abc12 46 | PEERDB_TEMPORAL_NAMESPACE=default 47 | 48 | # The below 3 variables are for Temporal Cloud ONLY. 49 | # TEMPORAL_CLOUD_HOST will be of the form .tmprl.cloud (port is 7233, omit it here) 50 | TEMPORAL_CLOUD_HOST= 51 | # TEMPORAL_CLIENT_CERT and TEMPORAL_CLIENT_KEY are derived from the ROOT CA used in namespace creation 52 | # These must be BASE64 strings 53 | TEMPORAL_CLOUD_CLIENT_CERT= 54 | TEMPORAL_CLOUD_CLIENT_KEY= 55 | # This can be any string. It is used to identify the deployment in Temporal Cloud. 56 | PEERDB_DEPLOYMENT_UID= 57 | 58 | # AWS SETTINGS 59 | AWS_REGION= 60 | 61 | # Option 1: Use AWS Credentials explicitly 62 | AWS_ACCESS_KEY_ID= 63 | AWS_SECRET_ACCESS_KEY= 64 | 65 | # Option 2: Use AWS IAM role via service account 66 | AWS_ROLE_ARN= 67 | 68 | 69 | 70 | # For setting up authentication 71 | AUTHENTICATION_ENABLED=false 72 | AUTHENTICATION_CREDENTIALS_USERNAME= 73 | AUTHENTICATION_CREDENTIALS_PASSWORD= 74 | 75 | 76 | # For using in-cluster postgres for catalog 77 | CATALOG_DEPLOY_ENABLED=true 78 | CATALOG_DEPLOY_CLUSTER_NAME=catalog-pg 79 | 80 | 81 | # For datadog metrics and logs 82 | DATADOG_ENABLED=false 83 | DATADOG_SITE=us5.datadoghq.com 84 | DATADOG_API_KEY= 85 | DATADOG_CLUSTER_NAME= #Something like 86 | 87 | 88 | SAVE_VALUES_AS_SECRET=true 89 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | peerdb-catalog/aws-ca-bundle.pem linguist-vendored -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | Checklist: 2 | 3 | * [ ] Bumped the chart version(s) according to semantic versioning 4 | * [ ] Bump up both `peerdb` and `peerdb-catalog` charts to the same version 5 | * [ ] Update `peerdb-catalog/values.yaml`: 6 | * [ ] Set `temporal.admintools.image.tag` pointing to version with correct value from the dependency in `peerdb/Chart.yaml` subdependency 7 | -------------------------------------------------------------------------------- /.github/workflows/chart-check-docs.yml: -------------------------------------------------------------------------------- 1 | name: Check docs 2 | 3 | 4 | # Do not change this 5 | concurrency: check-docs-helm 6 | 7 | on: 8 | push: 9 | branches: 10 | - main 11 | pull_request: 12 | branches: 13 | - main 14 | 15 | 16 | jobs: 17 | check-docs-helm: 18 | runs-on: ubuntu-latest 19 | steps: 20 | - name: Checkout 21 | uses: actions/checkout@v4 22 | 23 | - name: Check docs 24 | run: | 25 | docker run -v "$PWD:/helm-docs" -u $(id -u) jnorwood/helm-docs:latest -c peerdb -d > README.md.peerdb.new 26 | docker run -v "$PWD:/helm-docs" -u $(id -u) jnorwood/helm-docs:latest -c peerdb-catalog -d > README.md.catalog.new 27 | exit_status=0 28 | diff -q README.md.peerdb.new peerdb/README.md || exit_status=$? 29 | if [ "$exit_status" != "0" ]; then 30 | echo "::error file=peerdb/README.md,line=1,col=1,endColumn=1::Outdated documentation, run '"'`docker run -v "$PWD:/helm-docs" -u $(id -u) jnorwood/helm-docs:latest -c peerdb`'"' to update." 31 | echo "::error file=peerdb/values.yaml,line=1,col=1,endColumn=1::Outdated documentation, run '"'`docker run -v "$PWD:/helm-docs" -u $(id -u) jnorwood/helm-docs:latest -c peerdb`'"' to update." 32 | exit 1 33 | fi 34 | diff -q README.md.catalog.new peerdb-catalog/README.md || exit_status=$? 35 | if [ "$exit_status" != "0" ]; then 36 | echo "::error file=peerdb-catalog/README.md,line=1,col=1,endColumn=1::Outdated documentation, run '"'`docker run -v "$PWD:/helm-docs" -u $(id -u) jnorwood/helm-docs:latest -c peerdb-catalog`'"' to update." 37 | echo "::error file=peerdb-catalog/values.yaml,line=1,col=1,endColumn=1::Outdated documentation, run '"'`docker run -v "$PWD:/helm-docs" -u $(id -u) jnorwood/helm-docs:latest -c peerdb-catalog`'"' to update." 38 | exit 1 39 | fi -------------------------------------------------------------------------------- /.github/workflows/release-charts.yml: -------------------------------------------------------------------------------- 1 | name: Release Charts 2 | 3 | # Can be run via `gh workflow run release-charts.yml -f chartName=` 4 | 5 | # Do not change this 6 | concurrency: release-helm 7 | 8 | on: 9 | workflow_dispatch: 10 | inputs: 11 | chartName: 12 | type: choice 13 | description: Chart to Release 14 | required: true 15 | options: 16 | - peerdb 17 | - peerdb-catalog 18 | 19 | env: 20 | HELM_REPO_URL: "https://peerdb-io.github.io/peerdb-enterprise" 21 | 22 | jobs: 23 | release-chart: 24 | permissions: 25 | contents: write 26 | runs-on: ubuntu-latest 27 | steps: 28 | - name: Checkout 29 | uses: actions/checkout@v3 30 | with: 31 | path: 'src' 32 | fetch-depth: 0 33 | submodules: true 34 | - name: Checkout 35 | uses: actions/checkout@v2 36 | with: 37 | path: 'dest' 38 | ref: 'gh-pages' 39 | fetch-depth: 0 40 | 41 | - name: Install Helm 42 | uses: azure/setup-helm@v3 43 | 44 | - name: Package Helm Charts 45 | shell: bash 46 | run: | 47 | set -e 48 | declare -a chartNames=( 49 | "${{ github.event.inputs.chartName }}" 50 | ) 51 | for chart in "${chartNames[@]}" 52 | do 53 | test -f dest/$(helm show chart "src/${chart}" | yq '.name + "-" + .version + ".tgz"') && echo "Existing Chart with same version found" 2>&1 && exit 1 54 | echo "Updating and packaging ${chart}" 55 | cp src/LICENSE.md src/${chart}/ 56 | helm dep up "src/${chart}" 57 | helm package "src/${chart}" -u -d dest 58 | done 59 | - name: Push New Files 60 | shell: bash 61 | working-directory: dest 62 | run: | 63 | set -e 64 | helm repo index . --url "${{ env.HELM_REPO_URL }}" 65 | git config user.name "$GITHUB_ACTOR" 66 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 67 | git add $(git ls-files -o --exclude-standard) 68 | git add index.yaml 69 | git commit -m "Updated from ref: $GITHUB_SHA" 70 | git push 71 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ### Helm ### 2 | # Chart dependencies 3 | **/charts/*.tgz 4 | 5 | # Created by https://www.toptal.com/developers/gitignore/api/python 6 | # Edit at https://www.toptal.com/developers/gitignore?templates=python 7 | 8 | ### Python ### 9 | # Byte-compiled / optimized / DLL files 10 | __pycache__/ 11 | *.py[cod] 12 | *$py.class 13 | 14 | # C extensions 15 | *.so 16 | 17 | # Distribution / packaging 18 | .Python 19 | build/ 20 | develop-eggs/ 21 | dist/ 22 | downloads/ 23 | eggs/ 24 | .eggs/ 25 | lib/ 26 | lib64/ 27 | parts/ 28 | sdist/ 29 | var/ 30 | wheels/ 31 | share/python-wheels/ 32 | *.egg-info/ 33 | .installed.cfg 34 | *.egg 35 | MANIFEST 36 | 37 | # PyInstaller 38 | # Usually these files are written by a python script from a template 39 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 40 | *.manifest 41 | *.spec 42 | 43 | # Installer logs 44 | pip-log.txt 45 | pip-delete-this-directory.txt 46 | 47 | # Unit test / coverage reports 48 | htmlcov/ 49 | .tox/ 50 | .nox/ 51 | .coverage 52 | .coverage.* 53 | .cache 54 | nosetests.xml 55 | coverage.xml 56 | *.cover 57 | *.py,cover 58 | .hypothesis/ 59 | .pytest_cache/ 60 | cover/ 61 | 62 | # Translations 63 | *.mo 64 | *.pot 65 | 66 | # Django stuff: 67 | *.log 68 | local_settings.py 69 | db.sqlite3 70 | db.sqlite3-journal 71 | 72 | # Flask stuff: 73 | instance/ 74 | .webassets-cache 75 | 76 | # Scrapy stuff: 77 | .scrapy 78 | 79 | # Sphinx documentation 80 | docs/_build/ 81 | 82 | # PyBuilder 83 | .pybuilder/ 84 | target/ 85 | 86 | # Jupyter Notebook 87 | .ipynb_checkpoints 88 | 89 | # IPython 90 | profile_default/ 91 | ipython_config.py 92 | 93 | # pyenv 94 | # For a library or package, you might want to ignore these files since the code is 95 | # intended to run in multiple environments; otherwise, check them in: 96 | # .python-version 97 | 98 | # pipenv 99 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 100 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 101 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 102 | # install all needed dependencies. 103 | #Pipfile.lock 104 | 105 | # poetry 106 | # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. 107 | # This is especially recommended for binary packages to ensure reproducibility, and is more 108 | # commonly ignored for libraries. 109 | # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control 110 | #poetry.lock 111 | 112 | # pdm 113 | # Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. 114 | #pdm.lock 115 | # pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it 116 | # in version control. 117 | # https://pdm.fming.dev/#use-with-ide 118 | .pdm.toml 119 | 120 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm 121 | __pypackages__/ 122 | 123 | # Celery stuff 124 | celerybeat-schedule 125 | celerybeat.pid 126 | 127 | # SageMath parsed files 128 | *.sage.py 129 | 130 | # Environments 131 | .env 132 | .venv 133 | env/ 134 | venv/ 135 | ENV/ 136 | env.bak/ 137 | venv.bak/ 138 | 139 | # Spyder project settings 140 | .spyderproject 141 | .spyproject 142 | 143 | # Rope project settings 144 | .ropeproject 145 | 146 | # mkdocs documentation 147 | /site 148 | 149 | # mypy 150 | .mypy_cache/ 151 | .dmypy.json 152 | dmypy.json 153 | 154 | # Pyre type checker 155 | .pyre/ 156 | 157 | # pytype static type analyzer 158 | .pytype/ 159 | 160 | # Cython debug symbols 161 | cython_debug/ 162 | 163 | # PyCharm 164 | # JetBrains specific template is maintained in a separate JetBrains.gitignore that can 165 | # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore 166 | # and can be added to the global gitignore or merged into this file. For a more nuclear 167 | # option (not recommended) you can uncomment the following to ignore the entire idea folder. 168 | #.idea/ 169 | 170 | ### Python Patch ### 171 | # Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration 172 | poetry.toml 173 | 174 | # ruff 175 | .ruff_cache/ 176 | 177 | # LSP config files 178 | pyrightconfig.json 179 | 180 | # End of https://www.toptal.com/developers/gitignore/api/python 181 | 182 | ### VSCode ### 183 | .vscode 184 | 185 | peerdb.values.secret.yaml 186 | temporal.values.secret.yaml 187 | peerdb-catalog.values.secret.yaml 188 | ssh-tunnel.values.secret.yaml 189 | 190 | peerdb-catalog/values.customer.yaml 191 | peerdb/values.customer.yaml -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/norwoodj/helm-docs 3 | rev: v1.14.2 4 | hooks: 5 | - id: helm-docs-container 6 | name: helm-docs 7 | args: 8 | - --chart-search-root=. 9 | - --chart-to-generate=peerdb,peerdb-catalog 10 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | # **Elastic License 2.0 (ELv2)** 2 | 3 | # **Elastic License** 4 | 5 | # **Acceptance** 6 | 7 | By using the software, you agree to all of the terms and conditions below. 8 | 9 | # **Copyright License** 10 | 11 | The licensor grants you a non-exclusive, royalty-free, worldwide, non-sublicensable, non-transferable license to use, copy, distribute, make available, and prepare derivative works of the software, in each case subject to the limitations and conditions below. 12 | 13 | # **Limitations** 14 | 15 | You may not provide the software to third parties as a hosted or managed service, where the service provides users with access to any substantial set of the features or functionality of the software. 16 | 17 | You may not move, change, disable, or circumvent the license key functionality in the software, and you may not remove or obscure any functionality in the software that is protected by the license key. 18 | 19 | You may not alter, remove, or obscure any licensing, copyright, or other notices of the licensor in the software. Any use of the licensor’s trademarks is subject to applicable law. 20 | 21 | # **Patents** 22 | 23 | The licensor grants you a license, under any patent claims the licensor can license, or becomes able to license, to make, have made, use, sell, offer for sale, import and have imported the software, in each case subject to the limitations and conditions in this license. This license does not cover any patent claims that you cause to be infringed by modifications or additions to the software. If you or your company make any written claim that the software infringes or contributes to infringement of any patent, your patent license for the software granted under these terms ends immediately. If your company makes such a claim, your patent license ends immediately for work on behalf of your company. 24 | 25 | # **Notices** 26 | 27 | You must ensure that anyone who gets a copy of any part of the software from you also gets a copy of these terms. 28 | 29 | If you modify the software, you must include in any modified copies of the software prominent notices stating that you have modified the software. 30 | 31 | # **No Other Rights** 32 | 33 | These terms do not imply any licenses other than those expressly granted in these terms. 34 | 35 | # **Termination** 36 | 37 | If you use the software in violation of these terms, such use is not licensed, and your licenses will automatically terminate. If the licensor provides you with a notice of your violation, and you cease all violation of this license no later than 30 days after you receive that notice, your licenses will be reinstated retroactively. However, if you violate these terms after such reinstatement, any additional violation of these terms will cause your licenses to terminate automatically and permanently. 38 | 39 | # **No Liability** 40 | 41 | ***As far as the law allows, the software comes as is, without any warranty or condition, and the licensor will not be liable to you for any damages arising out of these terms or the use or nature of the software, under any kind of legal claim.*** 42 | 43 | # **Definitions** 44 | 45 | The **licensor** is the entity offering these terms, and the **software** is the software the licensor makes available under these terms, including any portion of it. 46 | 47 | **you** refers to the individual or entity agreeing to these terms. 48 | 49 | **your company** is any legal entity, sole proprietorship, or other kind of organization that you work for, plus all organizations that have control over, are under the control of, or are under common control with that organization. **control** means ownership of substantially all the assets of an entity, or the power to direct its management and policies by vote, contract, or otherwise. Control can be direct or indirect. 50 | 51 | **your licenses** are all the licenses granted to you for the software under these terms. 52 | 53 | **use** means anything you do with the software requiring one of your licenses. 54 | 55 | **trademark** means trademarks, service marks, and similar rights. 56 | -------------------------------------------------------------------------------- /PRODUCTION.md: -------------------------------------------------------------------------------- 1 | # Production Configuration and Best Practices 2 | 3 | After following the POC guide from the [QuickStart under README.md](README.md), you can now move on to setting up PeerDB Enterprise in a production environment. This guide will help you understand the best practices and configurations to follow for a production setup. 4 | 5 | ## Making the `values.yaml` files secure 6 | 7 | 1. After running the `./install_catalog.sh` and `./install_peerdb.sh` scripts, there should be 2 files available in the root directory of the repository pertaining the two charts that were installed (`peerdb` and `peerdb-catalog`): 8 | ```shell 9 | $ ls *.values.secret.yaml 10 | peerdb-catalog.values.secret.yaml 11 | peerdb.values.secret.yaml 12 | ``` 13 | 14 | 2. These two files can now copied over and used to override the default chart values and used directly with the `helm` commands (or indirectly via `helmfile`, ArgoCD, Flux, etc.) to deploy the charts with the desired configurations. 15 | 16 | 3. Each password can be configured to use an in-cluster kubernetes secret by setting the `existingSecret` key available at the same level as the password key. The secret should have the key `password` with the value as the password. For example: 17 | ```yaml 18 | # peerdb/values.customer.yaml 19 | peerdb: 20 | catalog: 21 | existingSecret: peerdb-catalog-secret 22 | ... 23 | # peerdb-catalog/values.customer.yaml 24 | credentials: 25 | default: 26 | existingSecret: peerdb-temporal-default-creds-secret 27 | visibility: 28 | existingSecret: peerdb-temporal-visibility-creds-secret 29 | admin: 30 | existingSecret: peerdb-temporal-admin-creds-secret 31 | catalog: 32 | existingSecret: peerdb-catalog-secret 33 | ``` 34 | 4. The charts can be further used as subchart dependencies to include more manifests to include configuration like `ExternalSecrets`, `NetworkPolicies`, `PodSecurityPolicies`, etc. 35 | 36 | 37 | ## Accessing the Packaged Helm Charts 38 | 39 | The Helm Charts are available via the GitHub Pages site of this repo and can be accessed via the following: 40 | ```yaml 41 | name: 42 | repository: https://peerdb-io.github.io/peerdb-enterprise 43 | ``` 44 | 45 | ## Examples of production setups 46 | 47 | Example production setups can be seen in the [`examples`](examples) directory. 48 | 49 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 |
3 | 4 | PeerDB Banner 5 | 6 | #### Frustratingly simple ETL for Postgres 7 | 8 | [![ElV2 License](https://badgen.net/badge/License/Elv2/green?icon=github)](https://github.com/PeerDB-io/peerdb-enterprise/blob/main/LICENSE.md) 9 | [![Slack Community](https://img.shields.io/badge/slack-peerdb-brightgreen.svg?logo=slack)](https://slack.peerdb.io) 10 | 11 |
12 | 13 | ## PeerDB 14 | 15 | At PeerDB, we are building a fast, simple and the most cost effective way to stream data from Postgres to a host of Data Warehouses, Queues and Storage Engines. If you are running Postgres at the heart of your data-stack and move data at scale from Postgres to any of the above targets, PeerDB can provide value. 16 | 17 | [PeerDB was acquired by ClickHouse](https://blog.peerdb.io/clickhouse-acquires-peerdb-for-native-postgres-cdc-integration) in July 2024. As part of this acquisition, we're making public the repository that contains the Helm charts used for deploying our Enterprise offering. This will enable people to self-host PeerDB in a more reliable and scaleable manner. 18 | 19 | ## Overview 20 | 21 | PeerDB itself has 5 main services: 22 | 23 | 1. `flow-worker`: The service that actually runs mirrors and does all the data movement. Written in Golang, source code [here](https://github.com/PeerDB-io/peerdb/tree/main/flow). 24 | 2. `flow-snapshot-worker`: Helps `flow-worker` perform initial snapshot of mirrors. Needs to be available at all times during this phase of a mirror. Shares source code with `flow-worker`. 25 | 3. `flow-api`: Hosts the gRPC API that actually creates and manages mirrors. `peerdb-ui` and `peerdb-server` depend on this. Shares source code with `flow-worker` and `flow-snapshot-worker`. 26 | 4. `peerdb-ui`: Intuitive web UI for interacting with peers and mirrors. Written in Next.js, source code [here](https://github.com/PeerDB-io/peerdb/tree/main/ui). 27 | 5. `peerdb-server`: Postgres wire protocol compatible SQL query layer, allows creating peers and mirrors via `psql` and other Postgres tooling. Written in Rust, source code [here](https://github.com/PeerDB-io/peerdb/tree/main/nexus). 28 | 29 | For a more detailed overview of PeerDB's architecture, you can look [here](https://docs.peerdb.io/architecture). Aside from this, PeerDB needs a Postgres database to use as a "catalog" to store configuration, and [Temporal](https://temporal.io) for workflow orchestration. Both can either be cloud-based or self-hosted (self-hosted Temporal in turn needs Postgres too), and the charts can be configured according to your needs. 30 | 31 | The sections below provide a quick way to get started with using the charts (like a POC). You can jump to the [Production Guide](#production-usage-post-poc) post POC (or if you are comfortable enough). 32 | 33 | ## Install Dependencies 34 | 35 | ### Needed 36 | 1. helm 37 | 2. kubectl 38 | 3. [yq](https://github.com/mikefarah/yq) 39 | 40 | ### Optional 41 | 1. Golang (if you need to setup catalog manually) 42 | 2. [k9s](https://github.com/derailed/k9s) for debugging 43 | 3. `psql` if you need to interface with `peerdb-server` 44 | 45 | ## Setup Kubernetes Cluster 46 | 47 | 1. Create a Kubernetes cluster on your favorite cloud provider 48 | 2. A sample node-pool/node-group for following the quickstart guide can look like: 49 | - Number of nodes: 3 (autoscaling recommended) 50 | - vCores: 8 51 | - Memory: 32GB 52 | - Disk: 300GB 53 | - Architecture: x64/ARM64 54 | 3. Setup your kubectl to point to the cluster 55 | 56 | ## QuickStart - Setting up PeerDB Enterprise 57 | 1. [Make sure all local dependencies are installed](#install-dependencies) 58 | 2. [Make sure Cluster is setup and kubectl is pointing to the cluster](#setup-kubernetes-cluster) 59 | 3. Clone this repo and create an `.env` file from `.env.template`. 60 | 4. [Setup In-Cluster Catalog Postgres](#option-b-in-cluster-with-helm-chart) 61 | 1. Run `./install_catalog.sh` 62 | 2. Run `./test_catalog.sh` 63 | 5. [Install PeerDB](#install-peerdb) 64 | 1. [Update `.env` with `PEERDB_PASSWORD` and `PEERDB_UI_PASSWORD`](#setting-up-credentials-to-access-peerdb) 65 | 1. Also generate a **new random string** for `PEERDB_UI_NEXTAUTH_SECRET` and set it in `.env` 66 | 2. Run `./install_peerdb.sh` for the first time 67 | 3. Set `PEERDB_UI_SERVICE_URL` in `.env` to the DNS/CNAME/IP of the LoadBalancer created and re-run `./install_peerdb.sh` 68 | 1. `kubectl get service peerdb-ui -n peerdb-ns` to get the external IP of the peerdb server, to get the `external_ip` of the PeerDB UI server. (Change the namespace here if you have set a different namespace) 69 | 2. Set the value to `PEERDB_UI_SERVICE_URL` in `.env` as `http://:3000` 70 | 4. Re-run `./install_peerdb.sh` to update the service with the new DNS/CNAME/IP 71 | 72 | ## (Optional) Saving `values.customer.yaml` in the cluster as a secret for backup 73 | 74 | Specific changes can be made to `values.customer.yaml` for both the `peerdb` and the `peerdb-catalog` helm charts. 75 | 76 | `values.customer.yaml` can be backed up as kubernetes secrets. To enable this, set `SAVE_VALUES_AS_SECRET=true` in the `.env` 77 | 78 | 79 | ## Setup Catalog Postgres 80 | 81 | ### Option A. Self-Hosted/CloudNative 82 | 83 | 1. Deploy postgres as needed. 84 | 2. Update `.env` appropriately with the credentials 85 | 3. Set `CATALOG_DEPLOY_ENABLED=false` in `.env` 86 | 4. 1. If using RDS, enable SSL by setting `PG_RDS_SSL_ENABLED=true` in `.env`. 87 | 2. If using SSL with another provider, set `TEMPORAL_SSL_MODE=true` in `.env`. 88 | 5. Run `./install_catalog.sh`, this will setup the schema. 89 | 6. Run `./test_catalog.sh` to verify schema version and permissions are in order 90 | 91 | 92 | ### Option B. In-Cluster with Helm Chart 93 | 94 | 1. Set `CATALOG_DEPLOY_ENABLED=true` in `.env` 95 | 2. Run `./install_catalog.sh` 96 | 3. Run `./test_catalog.sh` to verify schema version and permissions are in order once the postgres pods are up 97 | 98 | #### NOTE: `PG_PASSWORD` will NOT be used from `.env` and will be auto-generated and can be obtained from the secret `"${CATALOG_DEPLOY_CLUSTER_NAME}-pguser-${PG_USER}"` 99 | 100 | ## [Optional] Enabling Datadog logs/metrics 101 | 1. Set `DATADOG_ENABLED=true` 102 | 2. Set the following parameters: 103 | ``` 104 | DATADOG_SITE= 105 | DATADOG_API_KEY= 106 | DATADOG_CLUSTER_NAME= 107 | ``` 108 | 109 | ## Setting up credentials to access PeerDB 110 | 111 | The following can be set in the `.env` to set up credentials to access PeerDB 112 | ``` 113 | PEERDB_PASSWORD=peerdb 114 | PEERDB_UI_PASSWORD=peerdb 115 | ``` 116 | 117 | Also set `PEERDB_UI_NEXTAUTH_SECRET` to a random static string 118 | ``` 119 | PEERDB_UI_NEXTAUTH_SECRET= 120 | ``` 121 | 122 | 123 | ## [Optional] Enabling Authentication Proxy 124 | 125 | 1. Authentication for PeerDB UI and Temporal WebUI can be enabled by setting the following in `.env`: 126 | ```shell 127 | AUTHENTICATION_ENABLED=true 128 | AUTHENTICATION_CREDENTIALS_USERNAME= 129 | AUTHENTICATION_CREDENTIALS_PASSWORD= 130 | ``` 131 | This will disable `LoadBalancer` for both the services and instead create a LoadBalancer for the Authentication Proxy. 132 | 2. Once Temporal and PeerDB are installed in the cluster, set/update DNS entries starting with `temporal.`, `peerdb.` and `peerdb-ui.` to point to the `LoadBalancer` IP of `authentication-proxy` service. 133 | 3. Temporal and PeerDB UI can be accessed through the DNS names set in previous step. 134 | 135 | ## Setup Catalog (Not required for in-cluster catalog) 136 | 137 | ### For Self-Hosted Temporal: 138 | 139 | Catalog will automatically be setup (with schema update/migration) using k8s jobs via the helm chart. The jobs might go into a few retries before everything reconciles. 140 | 141 | NOTE: Catalog can still be setup/upgraded via `./setup_postgres.sh` and `./setup_temporal_schema.sh` in case there is an issue. 142 | 143 | 144 | ### For Temporal Cloud: 145 | 1. Fill in the `TEMPORAL_CLOUD_HOST`, `TEMPORAL_CLOUD_CERT` and `TEMPORAL_CLOUD_KEY` environment variables in .env. 146 | 2. Fill in `PEERDB_DEPLOYMENT_UID` with an appropriate string to uniquely identify the current deployment. 147 | 148 | ## Install PeerDB 149 | 150 | 1. Run `./install_peerdb.sh` to install/upgrade peerdb on the kubernetes cluster. 151 | 2. Run `kubectl get service peerdb-server -n ${PEERDB_K8S_NAMESPACE}` to get the external IP of the peerdb server. 152 | 3. Validate that you are able to access temporal-web by: 153 | `kubectl port-forward -n ${TEMPORAL_K8S_NAMESPACE} services/${TEMPORAL_RELEASE_NAME}-web 8080:8080` 154 | 155 | ### Important Additional Steps 156 | - If enabling service of type LoadBalancer, set `PEERDB_UI_SERVICE_URL` in `.env` to the DNS/CNAME/IP of the LoadBalancer for `peerdb-ui` service created and re-run `./install_peerdb.sh`. For example: 157 | ``` 158 | PEERDB_UI_SERVICE_URL=http://aac397508d3594a4494dc9350812c40d-509756028.us-east-1.elb.amazonaws.com:3000 159 | ``` 160 | 161 | ## Setting up Resources for PeerDB and In-Cluster Catalog 162 | Setting up resources for PeerDB and In-Cluster Catalog is as simple as updating the `values.customer.yaml` file in the respective charts (`peerdb` and `peerdb-catalog`). 163 | 164 | - `peerdb/values.customer.yaml`: 165 | ```yaml 166 | flowWorker: 167 | resources: 168 | requests: 169 | cpu: 12 170 | memory: 48Gi 171 | ephemeral-storage: 384Gi 172 | limits: 173 | cpu: 16 174 | memory: 64Gi 175 | ephemeral-storage: 512Gi 176 | replicaCount: 2 177 | ``` 178 | - and `peerdb-catalog/values.customer.yaml`: 179 | ```yaml 180 | deploy: 181 | resources: 182 | requests: 183 | cpu: 2 184 | memory: 8Gi 185 | limits: 186 | cpu: 2 187 | memory: 8Gi 188 | ``` 189 | 190 | ## Production usage post POC 191 | 192 | A production guide setup with examples is available in [`PRODUCTION.md`](PRODUCTION.md). 193 | 194 | ## Issues and Fixes 195 | 196 | ### Accessing Temporal UI over non-HTTPS 197 | 198 | Insecure cookie needs to be enabled to send commands/signals via the Temporal UI over plain HTTP and can be added to `peerdb/values.customer.yaml`: 199 | ```yaml 200 | temporal-deploy: 201 | web: 202 | additionalEnv: 203 | - name: TEMPORAL_CSRF_COOKIE_INSECURE 204 | value: 'true' 205 | -------------------------------------------------------------------------------- /examples/otel-prometheus-setup/README.md: -------------------------------------------------------------------------------- 1 | # Using OpenTelemetry and Prometheus with PeerDB 2 | 3 | This example demonstrates how to use OpenTelemetry and Prometheus with PeerDB. 4 | 5 | ## Assumptions 6 | 7 | OpenTelemetry and Prometheus are being installed in the `telemetry` namespace, the example can be modified to use a different namespace. 8 | 9 | Install it by running: 10 | ```shell 11 | helm install --debug peerdb-telemetry peerdb-telemetry --namespace telemetry --create-namespace 12 | ``` 13 | 14 | ## OpenTelemetry and Prometheus setup 15 | 16 | This example includes a helm chart with OpenTelemetry Collector and Prometheus with sane defaults (check the `values.yaml` file for more details): 17 | 1. OpenTelemetry is 18 | 1. enabling a prometheus-compatible endpoint at port `9090` 19 | 2. enabling the `prometheus` exporter 20 | 3. exposing the port `9090` which was just enabled so that Prometheus can scrape the metrics 21 | 22 | Other configuration like the `otlp-http` endpoint, healthcheck etc. is enabled by default in the chart 23 | 2. Prometheus is 24 | 1. scraping the OpenTelemetry Collector at `http://peerdb-telemetry-collector.telemetry:9090/metrics` 25 | 2. has a load balancer service to expose the Prometheus UI 26 | 27 | 28 | ## PeerDB setup 29 | 30 | PeerDB needs to be configured to send metrics to the OpenTelemetry Collector. This can be done by configuring the `values.customer.yaml` 31 | in the PeerDB helm chart: 32 | 33 | ```yaml 34 | flowWorker: 35 | extraEnv: 36 | - name: ENABLE_OTEL_METRICS 37 | value: "true" 38 | - name: OTEL_EXPORTER_OTLP_METRICS_ENDPOINT 39 | value: http://peerdb-telemetry-collector.telemetry:4318/v1/metrics 40 | ``` 41 | -------------------------------------------------------------------------------- /examples/otel-prometheus-setup/peerdb-telemetry/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /examples/otel-prometheus-setup/peerdb-telemetry/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: peerdb-telemetry 3 | description: A Helm chart for Kubernetes 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 0.1.0 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | # It is recommended to use it with quotes. 24 | appVersion: "1.16.0" 25 | 26 | 27 | dependencies: 28 | - name: opentelemetry-collector 29 | version: 0.90.1 30 | repository: https://open-telemetry.github.io/opentelemetry-helm-charts 31 | alias: collector 32 | - name: prometheus 33 | version: 25.20.1 34 | repository: https://prometheus-community.github.io/helm-charts 35 | alias: prometheus -------------------------------------------------------------------------------- /examples/otel-prometheus-setup/peerdb-telemetry/values.yaml: -------------------------------------------------------------------------------- 1 | collector: 2 | config: 3 | exporters: 4 | prometheus: 5 | endpoint: 0.0.0.0:9090 6 | namespace: peerdb 7 | service: 8 | pipelines: 9 | metrics: 10 | exporters: 11 | - prometheus 12 | image: 13 | repository: "otel/opentelemetry-collector-contrib" 14 | mode: deployment 15 | ports: 16 | prom-export: 17 | enabled: true 18 | containerPort: 9090 19 | servicePort: 9090 20 | protocol: TCP 21 | 22 | prometheus: 23 | extraScrapeConfigs: | 24 | - job_name: 'peerdb' 25 | static_configs: 26 | - targets: ['peerdb-telemetry-collector.telemetry:9090'] 27 | server: 28 | service: 29 | type: LoadBalancer 30 | -------------------------------------------------------------------------------- /examples/production-with-gitops/README.md: -------------------------------------------------------------------------------- 1 | # Production setup with GitOps 2 | 3 | This example shows usage of the Helm Charts while covering the following scenarios: 4 | - Using a self-hosted/cloud Postgres for the catalog 5 | - Using a custom SSL certificate for the catalog 6 | - Using secrets via kubernetes secrets 7 | - Leveraging [`ExternalSecrets`](https://external-secrets.io/) for syncing secrets from a secret manager 8 | - Extending PeerDB Chart to include additional resources 9 | - `ExternalSecrets` for syncing secrets from a secret manager 10 | 11 | -------------------------------------------------------------------------------- /examples/production-with-gitops/peerdb-enterprise-catalog/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | LICENSE.md 25 | -------------------------------------------------------------------------------- /examples/production-with-gitops/peerdb-enterprise-catalog/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: peerdb-enterprise 3 | description: A Helm chart for Kubernetes 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 0.1.0 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | # It is recommended to use it with quotes. 24 | appVersion: "1.16.0" 25 | 26 | dependencies: 27 | - name: peerdb-catalog 28 | version: 0.6.0 29 | repository: https://peerdb-io.github.io/peerdb-enterprise 30 | alias: catalog 31 | -------------------------------------------------------------------------------- /examples/production-with-gitops/peerdb-enterprise-catalog/templates/creds.default.external-secret.yaml: -------------------------------------------------------------------------------- 1 | # this can be further extended to have different secret stores for different existingSecrets 2 | --- 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: {{ .Values.catalog.credentials.default.existingSecret }}-ext 7 | spec: 8 | refreshInterval: {{ .Values.secretsStore.refreshInterval }} 9 | secretStoreRef: 10 | name: {{ .Values.secretsStore.name }} 11 | kind: {{ .Values.secretsStore.kind }} 12 | target: 13 | name: {{ .Values.catalog.credentials.default.existingSecret }} 14 | template: 15 | engineVersion: v2 16 | data: 17 | {{- if .Values.catalog.credentials.default.existingSecretEnabledFields.user}} 18 | user: '{{`{{ .CATALOG_USER }}`}}' 19 | {{- end }} 20 | password: '{{`{{ .CATALOG_PASSWORD }}`}}' 21 | data: 22 | {{- if .Values.catalog.credentials.default.existingSecretEnabledFields.user}} 23 | - secretKey: CATALOG_USER 24 | remoteRef: 25 | key: {{ .Values.secretsStore.keyPrefix }}/{{ .Values.catalog.credentials.default.existingSecret }} 26 | property: catalog.user 27 | {{- end }} 28 | - secretKey: CATALOG_PASSWORD 29 | remoteRef: 30 | key: {{ .Values.secretsStore.keyPrefix }}/{{ .Values.catalog.credentials.default.existingSecret }} 31 | property: catalog.password 32 | -------------------------------------------------------------------------------- /examples/production-with-gitops/peerdb-enterprise-catalog/templates/ssl.external-secret.yaml: -------------------------------------------------------------------------------- 1 | # this can be further extended to have different secret stores for different existingSecrets 2 | --- 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: {{ .Values.catalog.credentials.ssl.existingSecret }}-ext 7 | annotations: 8 | {{- if or .Values.catalog.schema.setup.hook.enabled .Values.catalog.schema.update.hook.enabled }} 9 | "helm.sh/hook": pre-install,pre-upgrade 10 | "helm.sh/hook-weight": "-2" 11 | {{- if not .Values.catalog.schema.setup.debug }} 12 | "helm.sh/hook-delete-policy": hook-succeeded,hook-failed 13 | {{- end }} 14 | {{- end }} 15 | spec: 16 | refreshInterval: {{ .Values.secretsStore.refreshInterval }} 17 | secretStoreRef: 18 | name: {{ .Values.secretsStore.name }} 19 | kind: {{ .Values.secretsStore.kind }} 20 | target: 21 | name: {{ .Values.catalog.credentials.ssl.existingSecret }} 22 | template: 23 | engineVersion: v2 24 | data: 25 | certificate: '{{`{{ .SSL_CERTIFICATE }}`}}' 26 | data: 27 | - secretKey: SSL_CERTIFICATE 28 | remoteRef: 29 | key: {{ .Values.secretsStore.keyPrefix }}/{{ .Values.catalog.credentials.ssl.existingSecret }} 30 | property: certificate 31 | -------------------------------------------------------------------------------- /examples/production-with-gitops/peerdb-enterprise-catalog/values.yaml: -------------------------------------------------------------------------------- 1 | catalog: 2 | credentials: 3 | default: 4 | database: peerdb_temporal 5 | existingSecret: peerdb-db-admin 6 | existingSecretEnabledFields: 7 | user: true 8 | visibility: 9 | database: peerdb_temporal_visibility 10 | existingSecret: peerdb-db-admin 11 | existingSecretEnabledFields: 12 | user: true 13 | admin: 14 | database: postgres 15 | existingSecret: peerdb-db-admin 16 | existingSecretEnabledFields: 17 | user: true 18 | catalog: 19 | database: peerdb 20 | pgHost: my-server.postgres.com 21 | pgPort: '5432' 22 | secretName: peerdb-db-admin 23 | ssl: 24 | enabled: true 25 | type: Other 26 | existingSecret: catalog-ssl-certificate 27 | deploy: 28 | enabled: false 29 | temporal: 30 | deploy: 31 | enabled: true 32 | tls: 33 | enabled: true 34 | schema: 35 | setup: 36 | enabled: true 37 | 38 | global: 39 | peerdb: 40 | enterprise: 41 | saveCustomerValuesAsSecret: true 42 | 43 | # Let's assume that the below secretStore (already available) uses SSM as its backend and the secret is json encoded. Docs: https://external-secrets.io/latest/provider/aws-parameter-store/ 44 | secretsStore: 45 | name: peerdb-secret-store 46 | kind: SecretStore 47 | refreshInterval: "0" 48 | keyPrefix: /path/to/peerdb/secrets/prefix 49 | -------------------------------------------------------------------------------- /examples/production-with-gitops/peerdb-enterprise/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | LICENSE.md 25 | -------------------------------------------------------------------------------- /examples/production-with-gitops/peerdb-enterprise/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: peerdb-enterprise 3 | description: A Helm chart for Kubernetes 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 0.1.0 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | # It is recommended to use it with quotes. 24 | appVersion: "1.16.0" 25 | 26 | dependencies: 27 | - name: peerdb 28 | version: 0.6.0 29 | repository: https://peerdb-io.github.io/peerdb-enterprise 30 | -------------------------------------------------------------------------------- /examples/production-with-gitops/peerdb-enterprise/templates/creds.peerdb.external-secret.yaml: -------------------------------------------------------------------------------- 1 | # this can be further extended to have different secret stores for different existingSecrets 2 | --- 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: {{ .Values.peerdb.catalog.existingSecret }}-ext 7 | spec: 8 | refreshInterval: {{ .Values.secretsStore.refreshInterval }} 9 | secretStoreRef: 10 | name: {{ .Values.secretsStore.name }} 11 | kind: {{ .Values.secretsStore.kind }} 12 | target: 13 | name: {{ .Values.peerdb.catalog.existingSecret }} 14 | template: 15 | engineVersion: v2 16 | data: 17 | host: '{{`{{ .CATALOG_HOST }}`}}' 18 | port: '{{`{{ .CATALOG_PORT }}`}}' 19 | user: '{{`{{ .CATALOG_USER }}`}}' 20 | password: '{{`{{ .CATALOG_PASSWORD }}`}}' 21 | dbname: '{{`{{ .CATALOG_DATABASE }}`}}' 22 | uri: "postgres://{{`{{ .CATALOG_USER }}`}}:{{`{{ .CATALOG_PASSWORD }}`}}@{{`{{ .CATALOG_HOST }}`}}:{{`{{ .CATALOG_PORT }}`}}/{{`{{ .CATALOG_DATABASE }}`}}" 23 | data: 24 | - secretKey: CATALOG_HOST 25 | remoteRef: 26 | key: {{ .Values.secretsStore.keyPrefix }}/{{ .Values.peerdb.catalog.existingSecret }} 27 | property: catalog.host 28 | - secretKey: CATALOG_PORT 29 | remoteRef: 30 | key: {{ .Values.secretsStore.keyPrefix }}/{{ .Values.peerdb.catalog.existingSecret }} 31 | property: catalog.port 32 | - secretKey: CATALOG_USER 33 | remoteRef: 34 | key: {{ .Values.secretsStore.keyPrefix }}/{{ .Values.peerdb.catalog.existingSecret }} 35 | property: catalog.user 36 | - secretKey: CATALOG_PASSWORD 37 | remoteRef: 38 | key: {{ .Values.secretsStore.keyPrefix }}/{{ .Values.peerdb.catalog.existingSecret }} 39 | property: catalog.password 40 | - secretKey: CATALOG_DATABASE 41 | remoteRef: 42 | key: {{ .Values.secretsStore.keyPrefix }}/{{ .Values.peerdb.catalog.existingSecret }} 43 | property: catalog.database 44 | -------------------------------------------------------------------------------- /examples/production-with-gitops/peerdb-enterprise/templates/creds.temporal.default.external-secret.yaml: -------------------------------------------------------------------------------- 1 | # this can be further extended to have different secret stores for different existingSecrets 2 | {{ $secretName := (index (.Values.peerdb) "temporal-deploy").server.config.persistence.default.sql.existingSecret }} 3 | --- 4 | apiVersion: external-secrets.io/v1beta1 5 | kind: ExternalSecret 6 | metadata: 7 | name: {{ $secretName }}-ext 8 | spec: 9 | refreshInterval: {{ .Values.secretsStore.refreshInterval }} 10 | secretStoreRef: 11 | name: {{ .Values.secretsStore.name }} 12 | kind: {{ .Values.secretsStore.kind }} 13 | target: 14 | name: {{ .Values.peerdb.catalog.existingSecret }} 15 | template: 16 | engineVersion: v2 17 | data: 18 | password: '{{`{{ .TEMPORAL_PASSWORD }}`}}' 19 | data: 20 | - secretKey: TEMPORAL_PASSWORD 21 | remoteRef: 22 | key: {{ .Values.secretsStore.keyPrefix }}/{{ $secretName }} 23 | property: temporal.password 24 | -------------------------------------------------------------------------------- /examples/production-with-gitops/peerdb-enterprise/templates/creds.temporal.visibility.external-secret.yaml: -------------------------------------------------------------------------------- 1 | # this can be further extended to have different secret stores for different existingSecrets 2 | {{ $secretName := (index (.Values.peerdb) "temporal-deploy").server.config.persistence.visibility.sql.existingSecret }} 3 | --- 4 | apiVersion: external-secrets.io/v1beta1 5 | kind: ExternalSecret 6 | metadata: 7 | name: {{ $secretName }}-ext 8 | spec: 9 | refreshInterval: {{ .Values.secretsStore.refreshInterval }} 10 | secretStoreRef: 11 | name: {{ .Values.secretsStore.name }} 12 | kind: {{ .Values.secretsStore.kind }} 13 | target: 14 | name: {{ .Values.peerdb.catalog.existingSecret }} 15 | template: 16 | engineVersion: v2 17 | data: 18 | password: '{{`{{ .TEMPORAL_PASSWORD }}`}}' 19 | data: 20 | - secretKey: TEMPORAL_PASSWORD 21 | remoteRef: 22 | key: {{ .Values.secretsStore.keyPrefix }}/{{ $secretName }} 23 | property: temporal.password 24 | -------------------------------------------------------------------------------- /examples/production-with-gitops/peerdb-enterprise/values.yaml: -------------------------------------------------------------------------------- 1 | peerdb: 2 | catalog: 3 | pgDatabase: peerdb 4 | pgAdminDatabase: postgres 5 | deploy: 6 | enabled: false 7 | existingSecret: peerdb-db 8 | temporal: 9 | namespace: peerdb 10 | releaseName: peerdb-temporal 11 | host: peerdb-temporal-deploy-frontend.peerdb.svc.cluster.local 12 | deploy: 13 | enabled: true 14 | peerdb: 15 | credentials: 16 | password: redacted 17 | version: stable-v0.12.2 18 | flowWorker: 19 | replicaCount: 2 20 | flowApi: 21 | replicaCount: 2 22 | peerdbUI: 23 | replicaCount: 1 24 | credentials: 25 | password: redacted 26 | nexauth_secret: redacted 27 | service: 28 | url: http(s)://external-dns-or-ip-of-peerdb-ui.com:port 29 | type: ClusterIP 30 | serviceAccount: 31 | name: peerdb-sa 32 | authentication: 33 | enabled: false 34 | temporal-deploy: 35 | server: 36 | config: 37 | persistence: 38 | default: 39 | sql: 40 | user: peerdb_temporal 41 | existingSecret: temporal-db 42 | database: peerdb_temporal 43 | tls: 44 | enabled: true 45 | host: my-server.postgres.com 46 | port: "5432" 47 | visibility: 48 | sql: 49 | user: peerdb_temporal_visibility 50 | existingSecret: temporal-visibility-db 51 | database: peerdb_temporal_visibility 52 | tls: 53 | enabled: true 54 | host: my-server.postgres.com 55 | port: "5432" 56 | web: 57 | service: 58 | type: ClusterIP 59 | schema: 60 | setup: 61 | enabled: false 62 | update: 63 | enabled: false 64 | datadog: 65 | enabled: false 66 | global: 67 | peerdb: 68 | enterprise: 69 | saveCustomerValuesAsSecret: true 70 | 71 | # Let's assume that the below secretStore (already available) uses SSM as its backend and the secret is json encoded. Docs: https://external-secrets.io/latest/provider/aws-parameter-store/ 72 | secretsStore: 73 | name: peerdb-secret-store 74 | kind: SecretStore 75 | refreshInterval: "0" 76 | keyPrefix: /path/to/peerdb/secrets/prefix 77 | -------------------------------------------------------------------------------- /images/banner.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PeerDB-io/peerdb-enterprise/d513f4c4a8e8f2d5ebe433e40e39af2c632437a2/images/banner.jpg -------------------------------------------------------------------------------- /install_catalog.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -Eeuo pipefail 3 | 4 | # Source .env file 5 | set -a 6 | source .env 7 | set +a 8 | 9 | function echo_err() { 10 | echo "$@" >&2 11 | } 12 | 13 | CHART_MODE=${1:-install} 14 | 15 | if [[ "$CHART_MODE" == "install" ]]; then 16 | echo "Will install the chart..." 17 | HELM_ARGS=("upgrade" "--install") 18 | elif [[ "$CHART_MODE" == "template" ]]; then 19 | echo_err "Will template the chart..." 20 | HELM_ARGS=("template") 21 | else 22 | echo_err 'USAGE: ./install_catalog.sh install|template' 23 | exit 1 24 | fi 25 | 26 | 27 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" 28 | PEERDB_CATALOG_DIR="${SCRIPT_DIR}/peerdb-catalog" 29 | 30 | "${SCRIPT_DIR}/values_catalog.sh" 31 | 32 | 33 | pushd "${PEERDB_CATALOG_DIR}" >&2 34 | 35 | 36 | export PEERDB_CATALOG_RELEASE_NAME="${PEERDB_RELEASE_NAME}-catalog" 37 | 38 | helm dependencies update >&2 39 | 40 | 41 | if [[ "$CHART_MODE" == "install" ]]; then 42 | # Workaround till https://github.com/helm/helm/pull/12362 gets merged 43 | if [[ "$CATALOG_DEPLOY_ENABLED" == "true" ]] && crds_manifests="$(helm template . \ 44 | --values ../peerdb-catalog.values.secret.yaml \ 45 | --values values.customer.yaml \ 46 | --include-crds \ 47 | --namespace "${PEERDB_K8S_NAMESPACE}" | yq -e '. | select (.kind == "CustomResourceDefinition")')" ; then 48 | echo 'Found CRDS, applying...' 49 | echo "${crds_manifests}" | kubectl apply --server-side -f - 50 | else 51 | echo 'No CRDS found' 52 | fi 53 | fi 54 | 55 | helm "${HELM_ARGS[@]}" "${PEERDB_CATALOG_RELEASE_NAME}" . \ 56 | --debug \ 57 | --values values.customer.yaml \ 58 | --values ../peerdb-catalog.values.secret.yaml \ 59 | --namespace "${PEERDB_K8S_NAMESPACE}"\ 60 | --create-namespace \ 61 | --wait \ 62 | --timeout=15m 63 | 64 | popd >&2 65 | -------------------------------------------------------------------------------- /install_peerdb.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -Eeuo pipefail 3 | 4 | # Source .env file 5 | set -a 6 | source .env 7 | set +a 8 | 9 | 10 | function echo_err() { 11 | echo "$@" >&2 12 | } 13 | 14 | CHART_MODE=${1:-install} 15 | 16 | if [[ "$CHART_MODE" == "install" ]]; then 17 | echo "Will install the chart..." 18 | HELM_ARGS=("upgrade" "--install") 19 | elif [[ "$CHART_MODE" == "template" ]]; then 20 | echo_err "Will template the chart..." 21 | HELM_ARGS=("template") 22 | else 23 | echo_err 'USAGE: ./install_peerdb.sh install|template' 24 | exit 1 25 | fi 26 | 27 | 28 | # Now we are using the same helm chart 29 | export TEMPORAL_RELEASE_NAME="${PEERDB_RELEASE_NAME}-temporal-deploy" 30 | 31 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" 32 | PEERDB_DIR="${SCRIPT_DIR}/peerdb" 33 | 34 | "${SCRIPT_DIR}/values_peerdb.sh" 35 | 36 | 37 | pushd "${PEERDB_DIR}" >&2 38 | 39 | 40 | helm dependencies update >&2 41 | 42 | helm "${HELM_ARGS[@]}" "${PEERDB_RELEASE_NAME}" . \ 43 | --debug \ 44 | --values ../peerdb.values.secret.yaml \ 45 | --values values.customer.yaml \ 46 | --namespace "${PEERDB_K8S_NAMESPACE}"\ 47 | --create-namespace \ 48 | --wait \ 49 | --timeout=15m 50 | 51 | popd >&2 52 | 53 | if [[ "$CHART_MODE" == "install" ]]; then 54 | if [[ "$AUTHENTICATION_ENABLED" == "true" ]]; then 55 | auth_ip=$(kubectl -n "${PEERDB_K8S_NAMESPACE}" get svc authentication-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 56 | if [[ -n "${TEMPORAL_CLOUD_HOST:-}" ]]; then 57 | echo "Authenticated UI IP is $auth_ip. Please set/update DNS entries starting with \`peerdb.\`, \`peerdb-ui.\` to point to $auth_ip " 58 | else 59 | echo "Authenticated UI IP is $auth_ip. Please set/update DNS entries starting with \`temporal.\`, \`peerdb.\` and \`peerdb-ui.\` to point to $auth_ip " 60 | fi 61 | fi 62 | fi -------------------------------------------------------------------------------- /peerdb-catalog/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | pgSetup/peerdb-pg-setup 25 | images/ 26 | pgSetup/pgSetup 27 | -------------------------------------------------------------------------------- /peerdb-catalog/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: peerdb-catalog 3 | description: A Helm chart for Kubernetes 4 | # A chart can be either an 'application' or a 'library' chart. 5 | # 6 | # Application charts are a collection of templates that can be packaged into versioned archives 7 | # to be deployed. 8 | # 9 | # Library charts provide useful utilities or functions for the chart developer. They're included as 10 | # a dependency of application charts to inject those utilities and functions into the rendering 11 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 12 | type: application 13 | # This is the chart version. This version number should be incremented each time you make changes 14 | # to the chart and its templates, including the app version. 15 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 16 | version: 0.8.0 17 | # This is the version number of the application being deployed. This version number should be 18 | # incremented each time you make changes to the application. Versions are not expected to 19 | # follow Semantic Versioning. They should reflect the version the application is using. 20 | # It is recommended to use it with quotes. 21 | appVersion: "v0.22.1" 22 | maintainers: 23 | - name: PeerDB Inc. 24 | url: https://peerdb.io/ 25 | - name: Kunal Gupta 26 | email: kunal@peerdb.io 27 | dependencies: 28 | - name: pgo 29 | repository: oci://registry.developers.crunchydata.com/crunchydata 30 | version: 5.5.0 31 | condition: deploy.enabled 32 | -------------------------------------------------------------------------------- /peerdb-catalog/README.md: -------------------------------------------------------------------------------- 1 | # peerdb-catalog 2 | 3 | ![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.22.1](https://img.shields.io/badge/AppVersion-v0.22.1-informational?style=flat-square) 4 | 5 | A Helm chart for Kubernetes 6 | 7 | ## Maintainers 8 | 9 | | Name | Email | Url | 10 | | ---- | ------ | --- | 11 | | PeerDB Inc. | | | 12 | | Kunal Gupta | | | 13 | 14 | ## Requirements 15 | 16 | | Repository | Name | Version | 17 | |------------|------|---------| 18 | | oci://registry.developers.crunchydata.com/crunchydata | pgo | 5.5.0 | 19 | 20 | ## Values 21 | 22 | | Key | Type | Default | Description | 23 | |-----|------|---------|-------------| 24 | | common.pods.affinity | object | `{}` | affinity that will be applied to all the catalog related services additively | 25 | | common.pods.imagePullSecrets | list | `[]` | image pull secrets that will be applied to all the catalog related services additively | 26 | | common.pods.nodeSelector | object | `{}` | node selector that will be applied to all the catalog related services additively | 27 | | common.pods.tolerations | list | `[]` | tolerations that will be applied to all the catalog related services additively | 28 | | credentials.admin.database | string | `"_TEMPORAL_ADMIN_DATABASE_"` | | 29 | | credentials.admin.existingSecret | string | `""` | Use an existing secret for the temporal admin user. Use this when saving credentials to values.yaml is not desired | 30 | | credentials.admin.existingSecretEnabledFields.user | bool | `false` | Whether to use the user field from the existing secret | 31 | | credentials.admin.password | string | `"_TEMPORAL_ADMIN_PASSWORD_"` | | 32 | | credentials.admin.user | string | `"_TEMPORAL_ADMIN_USER_"` | | 33 | | credentials.catalog.database | string | `"_CATALOG_DATABASE_"` | | 34 | | credentials.default.database | string | `"_TEMPORAL_DEFAULT_DATABASE_"` | | 35 | | credentials.default.existingSecret | string | `""` | Use an existing secret for the temporal default user. Use this when saving credentials to values.yaml is not desired | 36 | | credentials.default.existingSecretEnabledFields.user | bool | `false` | Whether to use the user field from the existing secret | 37 | | credentials.default.password | string | `"_TEMPORAL_DEFAULT_PASSWORD_"` | | 38 | | credentials.default.user | string | `"_TEMPORAL_DEFAULT_USER_"` | | 39 | | credentials.pgHost | string | `"_PG_HOST_"` | | 40 | | credentials.pgPort | string | `"_PG_PORT_"` | | 41 | | credentials.secretName | string | `"_CATALOG_DB_MANUAL_CREDS_NAME_"` | | 42 | | credentials.ssl.enabled | string | `"_TEMPORAL_SSL_MODE_"` | | 43 | | credentials.ssl.existingSecret | string | `""` | Use an existing secret for the catalog ssl certificate to use for catalog. Generally used when a custom SSL certificate is needed | 44 | | credentials.ssl.path | string | `"_TEMPORAL_SSL_CA_CERT_PATH_"` | | 45 | | credentials.ssl.type | string | `"_"` | | 46 | | credentials.visibility.database | string | `"_TEMPORAL_VISIBILITY_DATABASE_"` | | 47 | | credentials.visibility.existingSecret | string | `""` | Use an existing secret for the temporal visibility user. Use this when saving credentials to values.yaml is not desired | 48 | | credentials.visibility.existingSecretEnabledFields.user | bool | `false` | Whether to use the user field from the existing secret | 49 | | credentials.visibility.password | string | `"_TEMPORAL_VISIBILITY_PASSWORD_"` | | 50 | | credentials.visibility.user | string | `"_TEMPORAL_VISIBILITY_USER_"` | | 51 | | deploy.backups.volume.resources.requests.storage | string | `"384Gi"` | Storage size for the catalog backups, refer to Crunchy PGO for more details | 52 | | deploy.clusterName | string | `"_PG_CLUSTER_NAME_"` | | 53 | | deploy.enabled | bool | `true` | | 54 | | deploy.instance.volume.resources.requests.storage | string | `"128Gi"` | Storage size for the catalog instance, refer to Crunchy PGO for more details | 55 | | deploy.replicaCount | int | `3` | | 56 | | deploy.resources.limits.cpu | int | `2` | | 57 | | deploy.resources.limits.memory | string | `"2Gi"` | | 58 | | deploy.resources.requests.cpu | int | `2` | | 59 | | deploy.resources.requests.memory | string | `"2Gi"` | | 60 | | deploy.user.options | string | `"SUPERUSER"` | | 61 | | deploy.version | int | `15` | | 62 | | global.peerdb.enterprise.saveCustomerValuesAsSecret | string | `"_SAVE_VALUES_AS_SECRET_"` | Whether to save customer values as a kubernetes secret for backup, pulled from `SAVE_VALUES_AS_SECRET` from .env | 63 | | pgo.debug | bool | `true` | | 64 | | pgo.disable_check_for_upgrades | bool | `false` | | 65 | | pgo.patroni.allowed_cidr[0] | string | `"0.0.0.0/0"` | | 66 | | pgo.resources.controller.limits.cpu | int | `1` | | 67 | | pgo.resources.controller.limits.ephemeral-storage | string | `"2Gi"` | | 68 | | pgo.resources.controller.limits.memory | string | `"512Mi"` | | 69 | | pgo.resources.controller.requests.cpu | int | `1` | | 70 | | pgo.resources.controller.requests.ephemeral-storage | string | `"1Gi"` | | 71 | | pgo.resources.controller.requests.memory | string | `"512Mi"` | | 72 | | pgo.singleNamespace | bool | `true` | | 73 | | schema.create.enabled | bool | `true` | | 74 | | schema.create.resources.limits.cpu | float | `0.5` | | 75 | | schema.create.resources.limits.memory | string | `"512Mi"` | | 76 | | schema.create.resources.requests.cpu | float | `0.5` | | 77 | | schema.create.resources.requests.memory | string | `"512Mi"` | | 78 | | schema.resources.limits.cpu | float | `0.5` | | 79 | | schema.resources.limits.memory | string | `"512Mi"` | | 80 | | schema.resources.requests.cpu | float | `0.5` | | 81 | | schema.resources.requests.memory | string | `"512Mi"` | | 82 | | schema.setup.backoffLimit | int | `100` | | 83 | | schema.setup.debug | bool | `false` | | 84 | | schema.setup.enabled | bool | `true` | Whether to enable the schema setup job for temporal, it is recommended to have it enabled | 85 | | schema.setup.hook.enabled | bool | `false` | | 86 | | schema.setup.pods.init.image.repository | string | `"golang"` | | 87 | | schema.setup.pods.init.image.tag | string | `"alpine"` | | 88 | | schema.setup.pods.schemaCreate.repository | string | `"alpine"` | | 89 | | schema.setup.pods.schemaCreate.tag | string | `"latest"` | | 90 | | schema.test.image.repository | string | `"postgres"` | | 91 | | schema.test.image.tag | string | `"latest"` | | 92 | | schema.update.backoffLimit | int | `100` | | 93 | | schema.update.enabled | bool | `true` | Whether to enable the schema update job for temporal, it is recommended to have it enabled | 94 | | schema.update.hook.enabled | bool | `true` | | 95 | | schema.update.hook.type | string | `"pre-upgrade"` | | 96 | | temporal.admintools.image.pullPolicy | string | `"IfNotPresent"` | | 97 | | temporal.admintools.image.repository | string | `"temporalio/admin-tools"` | | 98 | | temporal.admintools.image.tag | string | `"1.24.2.1-tctl-1.18.1-cli-0.13.2"` | This should be set from the helm values for temporal dependency from the main chart | 99 | | temporal.deploy.enabled | bool | `true` | | 100 | | temporal.tls.enabled | string | `"_TEMPORAL_SSL_MODE_"` | | 101 | 102 | ---------------------------------------------- 103 | Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) 104 | -------------------------------------------------------------------------------- /peerdb-catalog/pgSetup/.gitignore: -------------------------------------------------------------------------------- 1 | peerdb-pg-setup 2 | 3 | ### Go ### 4 | # If you prefer the allow list template instead of the deny list, see community template: 5 | # https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore 6 | # 7 | # Binaries for programs and plugins 8 | *.exe 9 | *.exe~ 10 | *.dll 11 | *.so 12 | *.dylib 13 | 14 | # Test binary, built with `go test -c` 15 | *.test 16 | 17 | # Output of the go coverage tool, specifically when used with LiteIDE 18 | *.out 19 | 20 | # Dependency directories (remove the comment below to include it) 21 | # vendor/ 22 | 23 | # Go workspace file 24 | go.work 25 | -------------------------------------------------------------------------------- /peerdb-catalog/pgSetup/Makefile: -------------------------------------------------------------------------------- 1 | GOFILE=main.go 2 | BINARY=peerdb-pg-setup 3 | 4 | GO=go 5 | CGO_ENABLED=0 6 | 7 | all: build 8 | 9 | build: 10 | $(GO) build -ldflags "-s -w" -o $(BINARY) $(GOFILE) 11 | 12 | clean: 13 | rm -f $(BINARY) 14 | 15 | .PHONY: all build clean 16 | -------------------------------------------------------------------------------- /peerdb-catalog/pgSetup/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/PeerDB-io/pgSetup 2 | 3 | go 1.20 4 | 5 | require ( 6 | github.com/AlecAivazis/survey/v2 v2.3.7 7 | github.com/jackc/pgx/v5 v5.6.0 8 | github.com/sirupsen/logrus v1.9.3 9 | ) 10 | 11 | require ( 12 | github.com/jackc/pgpassfile v1.0.0 // indirect 13 | github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect 14 | github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect 15 | github.com/mattn/go-colorable v0.1.13 // indirect 16 | github.com/mattn/go-isatty v0.0.20 // indirect 17 | github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect 18 | golang.org/x/crypto v0.25.0 // indirect 19 | golang.org/x/sys v0.22.0 // indirect 20 | golang.org/x/term v0.22.0 // indirect 21 | golang.org/x/text v0.16.0 // indirect 22 | ) 23 | -------------------------------------------------------------------------------- /peerdb-catalog/pgSetup/go.sum: -------------------------------------------------------------------------------- 1 | github.com/AlecAivazis/survey/v2 v2.3.7 h1:6I/u8FvytdGsgonrYsVn2t8t4QiRnh6QSTqkkhIiSjQ= 2 | github.com/AlecAivazis/survey/v2 v2.3.7/go.mod h1:xUTIdE4KCOIjsBAE1JYsUPoCqYdZ1reCfTwbto0Fduo= 3 | github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s= 4 | github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w= 5 | github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI= 6 | github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= 7 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 8 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 9 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 10 | github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog= 11 | github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68= 12 | github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM= 13 | github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= 14 | github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= 15 | github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= 16 | github.com/jackc/pgx/v5 v5.6.0 h1:SWJzexBzPL5jb0GEsrPMLIsi/3jOo7RHlzTjcAeDrPY= 17 | github.com/jackc/pgx/v5 v5.6.0/go.mod h1:DNZ/vlrUnhWCoFGxHAG8U2ljioxukquj7utPDgtQdTw= 18 | github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk= 19 | github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs= 20 | github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= 21 | github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= 22 | github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= 23 | github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= 24 | github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= 25 | github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= 26 | github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= 27 | github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= 28 | github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= 29 | github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI= 30 | github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= 31 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 32 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 33 | github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= 34 | github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= 35 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 36 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 37 | github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 38 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 39 | github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= 40 | github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= 41 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 42 | golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= 43 | golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= 44 | golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= 45 | golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= 46 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 47 | golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= 48 | golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= 49 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 50 | golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 51 | golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= 52 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 53 | golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 54 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 55 | golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 56 | golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 57 | golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 58 | golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 59 | golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 60 | golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 61 | golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= 62 | golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 63 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 64 | golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= 65 | golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= 66 | golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= 67 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 68 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 69 | golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= 70 | golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= 71 | golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= 72 | golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= 73 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 74 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 75 | golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= 76 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 77 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 78 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 79 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 80 | -------------------------------------------------------------------------------- /peerdb-catalog/pgSetup/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | "errors" 6 | "fmt" 7 | "net/url" 8 | "os" 9 | 10 | "github.com/AlecAivazis/survey/v2" 11 | "github.com/jackc/pgx/v5" 12 | "github.com/sirupsen/logrus" 13 | ) 14 | 15 | type Config struct { 16 | Host string 17 | Port string 18 | User string 19 | Password string 20 | Database string 21 | TemporalDeployEnabled bool 22 | TemporalUser string 23 | TemporalPassword string 24 | TemporalDB string 25 | TemporalVisibilityDB string 26 | PeerDBCatalogDB string 27 | AssumeYes bool 28 | } 29 | 30 | func (cfg *Config) Validate() error { 31 | if cfg.Host == "" { 32 | return errors.New("missing PG_HOST") 33 | } 34 | if cfg.Port == "" { 35 | return errors.New("missing PG_PORT") 36 | } 37 | if cfg.User == "" { 38 | return errors.New("missing PG_USER") 39 | } 40 | if cfg.Password == "" { 41 | return errors.New("missing PG_PASSWORD") 42 | } 43 | if cfg.Database == "" { 44 | return errors.New("missing PG_DATABASE") 45 | } 46 | if cfg.TemporalUser == "" { 47 | return errors.New("missing TEMPORAL_USER") 48 | } 49 | if cfg.TemporalPassword == "" { 50 | return errors.New("missing TEMPORAL_PASSWORD") 51 | } 52 | if cfg.TemporalDB == "" { 53 | return errors.New("missing TEMPORAL_DB") 54 | } 55 | if cfg.TemporalVisibilityDB == "" { 56 | return errors.New("missing TEMPORAL_VISIBILITY_DB") 57 | } 58 | if cfg.PeerDBCatalogDB == "" { 59 | return errors.New("missing PEER_DB_CATALOG_DB") 60 | } 61 | return nil 62 | } 63 | 64 | func (cfg *Config) GetDSN(dbname string) string { 65 | // encode the password to avoid special characters issues 66 | encodedPassword := url.QueryEscape(cfg.Password) 67 | return fmt.Sprintf("postgres://%s:%s@%s:%s/%s", cfg.User, encodedPassword, cfg.Host, cfg.Port, dbname) 68 | } 69 | 70 | func connectToPostgres(ctx context.Context, cfg *Config) (*pgx.Conn, error) { 71 | conn, err := pgx.Connect(ctx, cfg.GetDSN(cfg.Database)) 72 | if err != nil { 73 | return nil, fmt.Errorf("failed to connect to PostgreSQL: %w", err) 74 | } 75 | return conn, nil 76 | } 77 | 78 | func connectToPostgresWithDB(ctx context.Context, cfg *Config, dbname string) (*pgx.Conn, error) { 79 | conn, err := pgx.Connect(ctx, cfg.GetDSN(dbname)) 80 | if err != nil { 81 | return nil, fmt.Errorf("failed to connect to PostgreSQL: %w", err) 82 | } 83 | return conn, nil 84 | } 85 | 86 | func executeQuery(conn *pgx.Conn, query string) error { 87 | _, err := conn.Exec(context.Background(), query) 88 | if err != nil { 89 | return fmt.Errorf("failed to execute query: %w", err) 90 | } 91 | return nil 92 | } 93 | 94 | var log = logrus.New() 95 | 96 | func checkAndCreateUser(conn *pgx.Conn, ctx context.Context, cfg *Config) error { 97 | var roleName string 98 | err := conn.QueryRow(ctx, "SELECT rolname FROM pg_roles WHERE rolname=$1", cfg.TemporalUser).Scan(&roleName) 99 | 100 | switch { 101 | case errors.Is(err, pgx.ErrNoRows): 102 | prompt := survey.Confirm{ 103 | Message: fmt.Sprintf("User %s does not exist. Do you want to create it?", cfg.TemporalUser), 104 | Default: cfg.AssumeYes, 105 | } 106 | confirm := false 107 | if cfg.AssumeYes { 108 | confirm = true 109 | } else { 110 | err := survey.AskOne(&prompt, &confirm) 111 | if err != nil || !confirm { 112 | return errors.New("operation aborted") 113 | } 114 | } 115 | log.Infof("Creating user %s...", cfg.TemporalUser) 116 | err = executeQuery(conn, fmt.Sprintf("CREATE USER %s WITH PASSWORD '%s';", cfg.TemporalUser, cfg.TemporalPassword)) 117 | if err != nil { 118 | return err 119 | } 120 | case err != nil: 121 | return err 122 | default: 123 | log.Infof("User %s already exists", roleName) 124 | } 125 | 126 | return nil 127 | } 128 | 129 | func checkAndCreateDB(cfg *Config, conn *pgx.Conn, ctx context.Context, dbName, user string) error { 130 | var name string 131 | err := conn.QueryRow(ctx, "SELECT datname FROM pg_database WHERE datname=$1", dbName).Scan(&name) 132 | 133 | switch { 134 | case errors.Is(err, pgx.ErrNoRows): 135 | prompt := survey.Confirm{ 136 | Message: fmt.Sprintf("Database %s does not exist. Do you want to create it?", dbName), 137 | Default: cfg.AssumeYes, 138 | } 139 | confirm := false 140 | if cfg.AssumeYes { 141 | confirm = true 142 | } else { 143 | err := survey.AskOne(&prompt, &confirm) 144 | if err != nil || !confirm { 145 | return errors.New("operation aborted") 146 | } 147 | } 148 | log.Infof("Creating database %s...", dbName) 149 | err = executeQuery(conn, fmt.Sprintf("CREATE DATABASE %s;", dbName)) 150 | if err != nil { 151 | return err 152 | } 153 | 154 | log.Infof("Granting privileges on database %s to user %s...", dbName, user) 155 | err = executeQuery(conn, fmt.Sprintf("GRANT ALL PRIVILEGES ON DATABASE %s to %s;", dbName, user)) 156 | if err != nil { 157 | return err 158 | } 159 | 160 | dbConn, err := connectToPostgresWithDB(ctx, cfg, dbName) 161 | if err != nil { 162 | return err 163 | } 164 | defer dbConn.Close(ctx) 165 | 166 | err = executeQuery(dbConn, fmt.Sprintf("GRANT ALL PRIVILEGES ON SCHEMA public TO %s;", user)) 167 | if err != nil { 168 | return err 169 | } 170 | case err != nil: 171 | return err 172 | default: 173 | log.Infof("Database %s already exists", name) 174 | } 175 | 176 | return nil 177 | } 178 | 179 | func createUserAndDatabases(cfg *Config) error { 180 | ctx := context.Background() 181 | conn, err := connectToPostgres(ctx, cfg) 182 | if err != nil { 183 | return err 184 | } 185 | defer conn.Close(ctx) 186 | 187 | log.Infof("Connected to PostgreSQL at %s:%s", cfg.Host, cfg.Port) 188 | if cfg.TemporalDeployEnabled { 189 | err = checkAndCreateUser(conn, ctx, cfg) 190 | if err != nil { 191 | return err 192 | } 193 | } 194 | 195 | if cfg.TemporalDeployEnabled { 196 | temporalDBs := []string{cfg.TemporalDB, cfg.TemporalVisibilityDB} 197 | for _, db := range temporalDBs { 198 | err = checkAndCreateDB(cfg, conn, ctx, db, cfg.TemporalUser) 199 | if err != nil { 200 | log.Errorf("Failed to create database %s: %v", db, err) 201 | return err 202 | } 203 | } 204 | } 205 | 206 | err = checkAndCreateDB(cfg, conn, ctx, cfg.PeerDBCatalogDB, cfg.User) 207 | if err != nil { 208 | log.Errorf("Failed to create database %s: %v", cfg.PeerDBCatalogDB, err) 209 | return err 210 | } 211 | 212 | log.Infof("All done!") 213 | return nil 214 | } 215 | 216 | func main() { 217 | log.SetFormatter(&logrus.TextFormatter{ 218 | FullTimestamp: true, 219 | }) 220 | log.SetLevel(logrus.InfoLevel) 221 | 222 | cfg := &Config{ 223 | Host: os.Getenv("PG_HOST"), 224 | Port: os.Getenv("PG_PORT"), 225 | User: os.Getenv("PG_USER"), 226 | Password: os.Getenv("PG_PASSWORD"), 227 | Database: os.Getenv("PG_DATABASE"), 228 | TemporalDeployEnabled: os.Getenv("TEMPORAL_DEPLOY_ENABLED") == "true", 229 | TemporalUser: os.Getenv("TEMPORAL_USER"), 230 | TemporalPassword: os.Getenv("TEMPORAL_PASSWORD"), 231 | TemporalDB: os.Getenv("TEMPORAL_DB"), 232 | TemporalVisibilityDB: os.Getenv("TEMPORAL_VISIBILITY_DB"), 233 | PeerDBCatalogDB: os.Getenv("PEERDB_CATALOG_DATABASE"), 234 | AssumeYes: os.Getenv("ASSUME_YES") == "true", 235 | } 236 | 237 | err := cfg.Validate() 238 | if err != nil { 239 | log.Fatalf("Invalid configuration: %v", err) 240 | } 241 | 242 | err = createUserAndDatabases(cfg) 243 | if err != nil { 244 | log.Fatalf("Failed to create user and databases: %v", err) 245 | } 246 | } 247 | -------------------------------------------------------------------------------- /peerdb-catalog/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "catalog.secretName" -}} 2 | {{- .Values.credentials.secretName }} 3 | {{- end -}} 4 | 5 | {{- define "catalog.deployed.secretName" -}} 6 | {{ printf "%s-%s-%s" (.Values.deploy.clusterName) "pguser" (.Values.catalog.pgUser) }} 7 | {{- end -}} 8 | 9 | {{- define "catalog.secretNameToUse" -}} 10 | {{- if .Values.deploy.enabled -}} 11 | {{/* The secret with given keys is auto-generated by the operator if we seek to use it, else we create ourselves*/}} 12 | {{- include "catalog.deployed.secretName" . -}} 13 | {{- else -}} 14 | {{- include "catalog.secretName" . -}} 15 | {{- end -}} 16 | {{- end -}} 17 | 18 | {{- define "deploy.postgres.name" -}} 19 | {{ .Values.deploy.clusterName }} 20 | {{- end -}} 21 | {{- define "deploy.postgres.cluster.name" -}} 22 | {{ .Values.deploy.clusterName }} 23 | {{- end -}} 24 | {{- define "deploy.schema.create.config.name" -}} 25 | {{ .Values.deploy.clusterName }}-create-schema 26 | {{- end -}} 27 | 28 | 29 | {{- define "catalog.ssl.certificate.defaultSecretName" -}} 30 | catalog-ssl-certificate 31 | {{- end -}} 32 | 33 | 34 | 35 | {{- define "catalog.ssl.certificate.secretName" -}} 36 | {{- if not .Values.credentials.ssl.existingSecret }} 37 | {{- include "catalog.ssl.certificate.defaultSecretName" . -}} 38 | {{- else -}} 39 | {{- .Values.credentials.ssl.existingSecret }} 40 | {{- end -}} 41 | {{- end -}} -------------------------------------------------------------------------------- /peerdb-catalog/templates/catalog-postgres-cluster.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.deploy.enabled }} 2 | {{- $temporalDefaultUser := .Values.credentials.default.user }} 3 | {{- $temporalVisibilitytUser := .Values.credentials.visibility.user }} 4 | {{- $temporalDefaultDb := .Values.credentials.default.database }} 5 | {{- $temporalVisibilityDb := .Values.credentials.visibility.database }} 6 | apiVersion: v1 7 | kind: ConfigMap 8 | metadata: 9 | name: {{ include "deploy.postgres.name" . }}-init-sql 10 | data: 11 | init.sql: | 12 | {{- $dbUsersDict := dict .Values.credentials.catalog.database .Values.credentials.admin.user $temporalDefaultDb $temporalDefaultUser $temporalVisibilityDb $temporalVisibilitytUser }} 13 | {{- if not .Values.temporal.deploy.enabled }} 14 | {{- $dbUsersDict := dict .Values.credentials.catalog.database .Values.credentials.admin.user }} 15 | {{- end }} 16 | {{- range $db, $user := dict .Values.credentials.catalog.database .Values.credentials.admin.user $temporalDefaultDb $temporalDefaultUser $temporalVisibilityDb $temporalVisibilitytUser }} 17 | \c {{ $db }} 18 | GRANT CREATE ON SCHEMA public TO "{{ $user }}"; 19 | {{- end }} 20 | 21 | --- 22 | apiVersion: postgres-operator.crunchydata.com/v1beta1 23 | kind: PostgresCluster 24 | metadata: 25 | name: {{ include "deploy.postgres.cluster.name" . }} 26 | spec: 27 | postgresVersion: {{ .Values.deploy.version }} 28 | patroni: 29 | dynamicConfiguration: 30 | postgresql: 31 | parameters: 32 | max_connections: 1000 33 | {{- if .Values.pgo.patroni.allowed_cidr }} 34 | pg_hba: 35 | {{- range $single_cidr := .Values.pgo.patroni.allowed_cidr }} 36 | - host all all {{ $single_cidr }} scram-sha-256 37 | {{- end }} 38 | {{- end }} 39 | 40 | log: 41 | level: DEBUG 42 | databaseInitSQL: 43 | key: init.sql 44 | name: {{ include "deploy.postgres.name" . }}-init-sql 45 | 46 | instances: 47 | - name: {{ include "deploy.postgres.cluster.name" . }} 48 | replicas: {{ .Values.deploy.replicaCount }} 49 | dataVolumeClaimSpec: 50 | {{- if .Values.deploy.instance.volume.storageClassName }} 51 | storageClassName: {{ .Values.deploy.instance.volume.storageClassName }} 52 | {{- end }} 53 | accessModes: 54 | - "ReadWriteOnce" 55 | resources: 56 | requests: 57 | storage: {{ .Values.deploy.instance.volume.resources.requests.storage }} 58 | {{- with .Values.deploy.resources }} 59 | resources: {{ toYaml . | nindent 9 }} 60 | {{- end }} 61 | 62 | users: 63 | {{- $usernameRegex := `^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$` }} 64 | {{- $errorMessage := (print " postgres user should match regex: '" $usernameRegex "' (should NOT contain underscores)" ) }} 65 | {{- $_1 := mustRegexFind $usernameRegex .Values.credentials.admin.user | required (print "catalog" $errorMessage) }} 66 | {{- $_2 := mustRegexFind $usernameRegex $temporalDefaultUser | required (print "temporal-default" $errorMessage) }} 67 | {{- $_3 := mustRegexFind $usernameRegex $temporalVisibilitytUser | required (print "temporal-visibility" $errorMessage) }} 68 | # cfg.temporalUser - cfg.temporaldb, cfg.temporalvsibilitydb 69 | # cfg.User - PeerDBCatalogDB 70 | - name: {{ .Values.credentials.admin.user }} 71 | databases: 72 | - {{ .Values.credentials.admin.database }} 73 | {{- if ne .Values.credentials.admin.database .Values.credentials.catalog.database }} 74 | - {{ .Values.credentials.catalog.database }} 75 | {{- end }} 76 | options: {{ .Values.deploy.user.options | quote }} 77 | {{ if .Values.temporal.deploy.enabled }} 78 | {{- if eq $temporalDefaultUser $temporalVisibilitytUser }} 79 | - name: {{ $temporalDefaultUser | quote }} 80 | databases: 81 | - {{ $temporalDefaultDb | quote }} 82 | - {{ $temporalVisibilityDb | quote }} 83 | {{- else }} 84 | - name: {{ $temporalDefaultUser | quote }} 85 | databases: 86 | - {{ $temporalDefaultDb | quote }} 87 | - name: {{ $temporalVisibilitytUser | quote }} 88 | databases: 89 | - {{ $temporalVisibilityDb | quote }} 90 | {{- end }} 91 | {{- end }} 92 | backups: 93 | pgbackrest: 94 | global: 95 | repo1-retention-full: "14" 96 | repo1-retention-full-type: time 97 | repos: 98 | - name: repo1 99 | schedules: 100 | full: "0 1 * * 0" 101 | differential: "0 1 * * 1-6" 102 | volume: 103 | volumeClaimSpec: 104 | accessModes: 105 | - "ReadWriteOnce" 106 | resources: 107 | requests: 108 | storage: {{ .Values.deploy.backups.volume.resources.requests.storage }} 109 | {{- end }} -------------------------------------------------------------------------------- /peerdb-catalog/templates/catalog-ssl-certificate-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.credentials.ssl.enabled (not .Values.credentials.ssl.existingSecret) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "catalog.ssl.certificate.defaultSecretName" . }} 6 | annotations: 7 | {{- if or .Values.schema.setup.hook.enabled .Values.schema.update.hook.enabled }} 8 | "helm.sh/hook": pre-install,pre-upgrade 9 | "helm.sh/hook-weight": "-2" 10 | {{- end }} 11 | stringData: 12 | certificate: | 13 | {{- if eq .Values.credentials.ssl.type "RDS" }} 14 | {{- .Files.Get "aws-ca-bundle.pem" | nindent 4 }} 15 | {{- else }} 16 | {{- .Files.Get .Values.credentials.ssl.path | nindent 4 }} 17 | {{- end }} 18 | {{- end }} -------------------------------------------------------------------------------- /peerdb-catalog/templates/customer-values-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.peerdb.enterprise.saveCustomerValuesAsSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: values-customer-peerdb-catalog 6 | stringData: 7 | "peerdb.values.customer.yaml" : | 8 | {{ .Files.Get "values.customer.yaml" | indent 4 }} 9 | {{- end }} -------------------------------------------------------------------------------- /peerdb-catalog/templates/setup-catalog-schema-jobs.yaml: -------------------------------------------------------------------------------- 1 | {{- $temporalValues := index .Values "temporal" }} 2 | {{- $credentialStore := .Values.credentials }} 3 | {{- if and .Values.schema.setup.enabled .Values.temporal.deploy.enabled .Release.IsInstall }} 4 | apiVersion: batch/v1 5 | kind: Job 6 | metadata: 7 | name: temporal-schema-setup 8 | labels: 9 | app.kubernetes.io/name: temporal-schema-setup 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} 13 | app.kubernetes.io/component: database 14 | app.kubernetes.io/part-of: {{ .Chart.Name }} 15 | annotations: 16 | {{- if .Values.schema.setup.hook.enabled }} 17 | "helm.sh/hook": pre-install 18 | "helm.sh/hook-weight": "0" 19 | {{- if not .Values.schema.setup.debug }} 20 | "helm.sh/hook-delete-policy": hook-succeeded,hook-failed 21 | {{- end }} 22 | {{- end }} 23 | spec: 24 | backoffLimit: {{ .Values.schema.setup.backoffLimit }} 25 | template: 26 | metadata: 27 | name: temporal-schema-setup 28 | labels: 29 | app.kubernetes.io/name: temporal-schema-setup 30 | app.kubernetes.io/managed-by: {{ .Release.Service }} 31 | app.kubernetes.io/instance: {{ .Release.Name }} 32 | app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} 33 | app.kubernetes.io/component: database 34 | app.kubernetes.io/part-of: {{ .Chart.Name }} 35 | spec: 36 | restartPolicy: "OnFailure" 37 | {{- with .Values.common.pods.affinity }} 38 | affinity: 39 | {{- . | toYaml | nindent 8 }} 40 | {{- end }} 41 | {{- with .Values.common.pods.nodeSelector }} 42 | nodeSelector: 43 | {{- . | toYaml | nindent 8 }} 44 | {{- end }} 45 | {{- with .Values.common.pods.tolerations }} 46 | tolerations: 47 | {{- . | toYaml | nindent 8 }} 48 | {{- end }} 49 | {{- with .Values.common.pods.imagePullSecrets }} 50 | imagePullSecrets: 51 | {{- . | toYaml | nindent 10 }} 52 | {{- end }} 53 | initContainers: 54 | {{- range $store := (list "default" "visibility") }} 55 | {{- $storeConfig := index $credentialStore $store }} 56 | - name: setup-{{ $store }}-schema 57 | image: "{{ $temporalValues.admintools.image.repository }}:{{ $temporalValues.admintools.image.tag }}" 58 | 59 | imagePullPolicy: {{ $temporalValues.admintools.image.pullPolicy }} 60 | command: ['bash', '-c', 'while ! timeout 1 nc -vz "${SQL_HOST}" "${SQL_PORT}"; do sleep 1; done && temporal-sql-tool setup-schema -v 0.0'] 61 | env: 62 | - name: SQL_PLUGIN 63 | value: "postgres12" 64 | - name: SQL_HOST 65 | value: {{ $credentialStore.pgHost | quote }} 66 | - name: SQL_PORT 67 | value: {{ $credentialStore.pgPort | quote }} 68 | - name: SQL_DATABASE 69 | value: {{ $storeConfig.database | quote }} 70 | - name: SQL_TLS 71 | value: '{{ $temporalValues.tls.enabled }}' 72 | {{- if $temporalValues.tls.enabled }} 73 | - name: SQL_TLS_CA_FILE 74 | value: /mounted/ca-file/certificate 75 | {{- end }} 76 | {{- if (or $storeConfig.user $storeConfig.existingSecret) }} 77 | - name: SQL_USER 78 | {{- if and $storeConfig.existingSecret $storeConfig.existingSecretEnabledFields.user }} 79 | valueFrom: 80 | secretKeyRef: 81 | name: {{ $storeConfig.existingSecret }} 82 | key: "user" 83 | {{- else }} 84 | value: {{ $storeConfig.user }} 85 | {{- end }} 86 | {{- end }} 87 | {{/* # TODO Check this */}} 88 | {{- if (or $storeConfig.password $storeConfig.existingSecret) }} 89 | - name: SQL_PASSWORD 90 | {{- if $storeConfig.existingSecret }} 91 | valueFrom: 92 | secretKeyRef: 93 | name: {{ $storeConfig.existingSecret }} 94 | key: "password" 95 | {{- else }} 96 | value: {{ $storeConfig.password }} 97 | {{- end }} 98 | {{- end }} 99 | {{- if $temporalValues.tls.enabled }} 100 | volumeMounts: 101 | - mountPath: /mounted/ca-file 102 | name: db-ssl-certificate 103 | {{- end }} 104 | {{- end }} 105 | {{- with .Values.schema.resources }} 106 | resources: 107 | {{- toYaml . | nindent 12 }} 108 | {{- end }} 109 | {{- with .Values.schema.containerSecurityContext }} 110 | securityContext: 111 | {{- toYaml . | nindent 12 }} 112 | {{- end }} 113 | containers: 114 | {{- range $store := (list "default" "visibility") }} 115 | {{- $storeConfig := index $credentialStore $store }} 116 | - name: update-{{ $store }}-schema 117 | image: "{{ $temporalValues.admintools.image.repository }}:{{ $temporalValues.admintools.image.tag }}" 118 | imagePullPolicy: {{ $temporalValues.admintools.image.pullPolicy }} 119 | command: ['temporal-sql-tool', 'update', '--schema-dir', '/etc/temporal/schema/postgresql/v12/{{ eq $store "default" | ternary "temporal" $store }}/versioned'] 120 | env: 121 | - name: SQL_PLUGIN 122 | value: "postgres12" 123 | - name: SQL_HOST 124 | value: {{ $credentialStore.pgHost | quote }} 125 | - name: SQL_PORT 126 | value: {{ $credentialStore.pgPort | quote }} 127 | - name: SQL_DATABASE 128 | value: {{ $storeConfig.database | quote }} 129 | - name: SQL_TLS 130 | value: '{{ $temporalValues.tls.enabled }}' 131 | {{- if $temporalValues.tls.enabled }} 132 | - name: SQL_TLS_CA_FILE 133 | value: /mounted/ca-file/certificate 134 | {{- end }} 135 | {{- if (or $storeConfig.user $storeConfig.existingSecret) }} 136 | - name: SQL_USER 137 | {{- if and $storeConfig.existingSecret $storeConfig.existingSecretEnabledFields.user }} 138 | valueFrom: 139 | secretKeyRef: 140 | name: {{ $storeConfig.existingSecret }} 141 | key: "user" 142 | {{- else }} 143 | value: {{ $storeConfig.user }} 144 | {{- end }} 145 | {{- end }} 146 | {{/* # TODO Check this */}} 147 | {{- if (or $storeConfig.password $storeConfig.existingSecret) }} 148 | - name: SQL_PASSWORD 149 | {{- if $storeConfig.existingSecret }} 150 | valueFrom: 151 | secretKeyRef: 152 | name: {{ $storeConfig.existingSecret }} 153 | key: "password" 154 | {{- else }} 155 | value: {{ $storeConfig.password }} 156 | {{- end }} 157 | {{- end }} 158 | {{- if $temporalValues.tls.enabled }} 159 | volumeMounts: 160 | - mountPath: /mounted/ca-file 161 | name: db-ssl-certificate 162 | {{- end }} 163 | {{- end }} 164 | {{- with .Values.schema.resources }} 165 | resources: 166 | {{- toYaml . | nindent 12 }} 167 | {{- end }} 168 | {{- with .Values.schema.containerSecurityContext }} 169 | securityContext: 170 | {{- toYaml . | nindent 12 }} 171 | {{- end }} 172 | {{- if $temporalValues.tls.enabled }} 173 | volumes: 174 | - name: db-ssl-certificate 175 | secret: 176 | secretName: {{include "catalog.ssl.certificate.secretName" . }} 177 | {{- end }} 178 | {{- with .Values.schema.securityContext }} 179 | securityContext: 180 | {{- toYaml . | nindent 8 }} 181 | {{- end }} 182 | {{- with $.Values.deploy.imagePullSecrets }} 183 | imagePullSecrets: 184 | {{- toYaml . | nindent 8 }} 185 | {{- end }} 186 | {{- with (default $temporalValues.admintools.nodeSelector) }} 187 | nodeSelector: 188 | {{- toYaml . | nindent 8 }} 189 | {{- end }} 190 | {{- with $temporalValues.admintools.affinity }} 191 | affinity: 192 | {{- toYaml . | nindent 8 }} 193 | {{- end }} 194 | {{- with $temporalValues.admintools.tolerations }} 195 | tolerations: 196 | {{- toYaml . | nindent 8 }} 197 | {{- end }} 198 | --- 199 | {{- end }} 200 | {{- if and .Values.schema.update.enabled .Values.temporal.deploy.enabled }} 201 | apiVersion: batch/v1 202 | kind: Job 203 | metadata: 204 | name: temporal-schema-update 205 | labels: 206 | app.kubernetes.io/name: temporal-schema-update 207 | app.kubernetes.io/managed-by: {{ .Release.Service }} 208 | app.kubernetes.io/instance: {{ .Release.Name }} 209 | app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} 210 | app.kubernetes.io/component: database 211 | app.kubernetes.io/part-of: {{ .Chart.Name }} 212 | annotations: 213 | {{- if .Values.schema.update.hook.enabled }} 214 | {{- if .Values.schema.update.hook.type }} 215 | "helm.sh/hook": {{ .Values.schema.update.hook.type }} 216 | {{- else if $temporalValues.cassandra.enabled }} 217 | "helm.sh/hook": post-install,pre-upgrade 218 | {{- else }} 219 | "helm.sh/hook": pre-install,pre-upgrade 220 | {{- end }} 221 | "helm.sh/hook-weight": "1" 222 | {{- if not $temporalValues.debug }} 223 | "helm.sh/hook-delete-policy": hook-succeeded,hook-failed 224 | {{- end }} 225 | {{- end }} 226 | spec: 227 | backoffLimit: {{ .Values.schema.update.backoffLimit }} 228 | template: 229 | metadata: 230 | name: temporal-schema-update 231 | labels: 232 | app.kubernetes.io/name: temporal-schema-update 233 | app.kubernetes.io/managed-by: {{ .Release.Service }} 234 | app.kubernetes.io/instance: {{ .Release.Name }} 235 | app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} 236 | app.kubernetes.io/component: database 237 | app.kubernetes.io/part-of: {{ .Chart.Name }} 238 | spec: 239 | restartPolicy: "OnFailure" 240 | {{- with .Values.common.pods.affinity }} 241 | affinity: 242 | {{- . | toYaml | nindent 8 }} 243 | {{- end }} 244 | {{- with .Values.common.pods.nodeSelector }} 245 | nodeSelector: 246 | {{- . | toYaml | nindent 8 }} 247 | {{- end }} 248 | {{- with .Values.common.pods.tolerations }} 249 | tolerations: 250 | {{- . | toYaml | nindent 8 }} 251 | {{- end }} 252 | {{- with .Values.common.pods.imagePullSecrets }} 253 | imagePullSecrets: 254 | {{- . | toYaml | nindent 10 }} 255 | {{- end }} 256 | containers: 257 | {{- range $store := (list "default" "visibility") }} 258 | {{- $storeConfig := index $credentialStore $store }} 259 | - name: update-{{ $store }}-schema 260 | image: "{{ $temporalValues.admintools.image.repository }}:{{ $temporalValues.admintools.image.tag }}" 261 | imagePullPolicy: {{ $temporalValues.admintools.image.pullPolicy }} 262 | command: ['temporal-sql-tool', 'update', '--schema-dir', '/etc/temporal/schema/postgresql/v12/{{ eq $store "default" | ternary "temporal" $store }}/versioned'] 263 | env: 264 | - name: SQL_PLUGIN 265 | value: "postgres12" 266 | - name: SQL_HOST 267 | value: {{ $credentialStore.pgHost | quote }} 268 | - name: SQL_PORT 269 | value: {{ $credentialStore.pgPort | quote }} 270 | - name: SQL_DATABASE 271 | value: {{ $storeConfig.database | quote }} 272 | - name: SQL_TLS 273 | value: '{{ $temporalValues.tls.enabled }}' 274 | {{- if $temporalValues.tls.enabled }} 275 | - name: SQL_TLS_CA_FILE 276 | value: /mounted/ca-file/certificate 277 | {{- end }} 278 | {{- if (or $storeConfig.user $storeConfig.existingSecret) }} 279 | - name: SQL_USER 280 | {{- if and $storeConfig.existingSecret $storeConfig.existingSecretEnabledFields.user }} 281 | valueFrom: 282 | secretKeyRef: 283 | name: {{ $storeConfig.existingSecret }} 284 | key: "user" 285 | {{- else }} 286 | value: {{ $storeConfig.user }} 287 | {{- end }} 288 | {{- end }} 289 | {{/* # TODO Check this */}} 290 | {{- if (or $storeConfig.password $storeConfig.existingSecret) }} 291 | - name: SQL_PASSWORD 292 | {{- if $storeConfig.existingSecret }} 293 | valueFrom: 294 | secretKeyRef: 295 | name: {{ $storeConfig.existingSecret }} 296 | key: "password" 297 | {{- else }} 298 | value: {{ $storeConfig.password }} 299 | {{- end }} 300 | {{- end }} 301 | {{- if $temporalValues.tls.enabled }} 302 | volumeMounts: 303 | - mountPath: /mounted/ca-file 304 | name: db-ssl-certificate 305 | {{- end }} 306 | {{- end }} 307 | {{- with .Values.schema.resources }} 308 | resources: 309 | {{- toYaml . | nindent 12 }} 310 | {{- end }} 311 | {{- with .Values.schema.containerSecurityContext }} 312 | securityContext: 313 | {{- toYaml . | nindent 12 }} 314 | {{- end }} 315 | {{- if $temporalValues.tls.enabled }} 316 | volumes: 317 | - name: db-ssl-certificate 318 | secret: 319 | secretName: {{ include "catalog.ssl.certificate.secretName" . }} 320 | {{- end }} 321 | {{- with .Values.schema.securityContext }} 322 | securityContext: 323 | {{- toYaml . | nindent 8 }} 324 | {{- end }} 325 | {{- with (default $temporalValues.admintools.nodeSelector) }} 326 | nodeSelector: 327 | {{- toYaml . | nindent 8 }} 328 | {{- end }} 329 | {{- with $temporalValues.admintools.affinity }} 330 | affinity: 331 | {{- toYaml . | nindent 8 }} 332 | {{- end }} 333 | {{- with $temporalValues.admintools.tolerations }} 334 | tolerations: 335 | {{- toYaml . | nindent 8 }} 336 | {{- end }} 337 | --- 338 | {{- end }} -------------------------------------------------------------------------------- /peerdb-catalog/templates/setup-postgres-job.yaml: -------------------------------------------------------------------------------- 1 | {{- $temporalValues := index .Values "temporal" }} 2 | {{- if and .Values.schema.create.enabled (not .Values.deploy.enabled) .Release.IsInstall }} 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: {{ include "deploy.schema.create.config.name" . }} 7 | data: 8 | {{- $currentScope := . }} 9 | {{- $directory := "pgSetup" }} 10 | {{- $fileList := list "main.go" "go.mod" "go.sum" }} 11 | {{- with $currentScope }} 12 | {{- range $fileName := $fileList}} 13 | {{ $fileName }}: | 14 | {{- $.Files.Get (printf "%s/%s" $directory $fileName ) | nindent 4 }} 15 | {{- end }} 16 | {{- end }} 17 | --- 18 | apiVersion: batch/v1 19 | kind: Job 20 | metadata: 21 | name: temporal-schema-create 22 | labels: 23 | app.kubernetes.io/name: temporal-schema-create 24 | app.kubernetes.io/managed-by: {{ .Release.Service }} 25 | app.kubernetes.io/instance: {{ .Release.Name }} 26 | app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} 27 | app.kubernetes.io/component: database 28 | app.kubernetes.io/part-of: {{ .Chart.Name }} 29 | spec: 30 | backoffLimit: {{ .Values.schema.setup.backoffLimit }} 31 | template: 32 | metadata: 33 | name: temporal-schema-create 34 | labels: 35 | app.kubernetes.io/name: temporal-schema-create 36 | app.kubernetes.io/managed-by: {{ .Release.Service }} 37 | app.kubernetes.io/instance: {{ .Release.Name }} 38 | app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} 39 | app.kubernetes.io/component: database 40 | app.kubernetes.io/part-of: {{ .Chart.Name }} 41 | spec: 42 | restartPolicy: "OnFailure" 43 | # TODO Migrate to pre-built image 44 | {{- with .Values.common.pods.affinity }} 45 | affinity: 46 | {{- . | toYaml | nindent 8 }} 47 | {{- end }} 48 | {{- with .Values.common.pods.nodeSelector }} 49 | nodeSelector: 50 | {{- . | toYaml | nindent 8 }} 51 | {{- end }} 52 | {{- with .Values.common.pods.tolerations }} 53 | tolerations: 54 | {{- . | toYaml | nindent 8 }} 55 | {{- end }} 56 | {{- with .Values.common.pods.imagePullSecrets }} 57 | imagePullSecrets: 58 | {{- . | toYaml | nindent 10 }} 59 | {{- end }} 60 | initContainers: 61 | - name: go-build 62 | image: "{{ .Values.schema.setup.pods.init.image.repository }}:{{ .Values.schema.setup.pods.init.image.tag }}" 63 | imagePullPolicy: "IfNotPresent" 64 | command: ['go', 'build', '-C', '/source', '-ldflags', '-s -w', '-o', '/build/run', 'main.go'] 65 | volumeMounts: 66 | - mountPath: "/source" 67 | name: "go-source-files" 68 | - mountPath: "/build" 69 | name: "go-build-files" 70 | containers: 71 | - name: "temporal-schema-create" 72 | image: "{{ .Values.schema.setup.pods.schemaCreate.repository }}:{{ .Values.schema.setup.pods.schemaCreate.tag }}" 73 | imagePullPolicy: "IfNotPresent" 74 | command: ['/build/run'] 75 | env: 76 | - name: PG_HOST 77 | value: {{ .Values.credentials.pgHost | quote }} 78 | - name: PG_PORT 79 | value: {{ .Values.credentials.pgPort | quote}} 80 | - name: PG_USER 81 | {{- if and .Values.credentials.admin.existingSecret .Values.credentials.admin.existingSecretEnabledFields.user }} 82 | valueFrom: 83 | secretKeyRef: 84 | name: {{ .Values.credentials.admin.existingSecret }} 85 | key: "user" 86 | {{- else }} 87 | value: {{ .Values.credentials.admin.user | quote }} 88 | {{- end }} 89 | - name: PG_PASSWORD 90 | {{- if .Values.credentials.admin.existingSecret }} 91 | valueFrom: 92 | secretKeyRef: 93 | name: {{ .Values.credentials.admin.existingSecret }} 94 | key: "password" 95 | {{- else }} 96 | value: {{ .Values.credentials.admin.password | quote }} 97 | {{- end }} 98 | - name: PG_DATABASE 99 | value: {{ .Values.credentials.admin.database | quote }} 100 | - name: TEMPORAL_USER 101 | {{- if and .Values.credentials.default.existingSecret .Values.credentials.default.existingSecretEnabledFields.user }} 102 | valueFrom: 103 | secretKeyRef: 104 | name: {{ .Values.credentials.default.existingSecret }} 105 | key: "user" 106 | {{- else }} 107 | value: {{ .Values.credentials.default.user | quote }} 108 | {{- end }} 109 | - name: TEMPORAL_PASSWORD 110 | {{- if .Values.credentials.default.existingSecret }} 111 | valueFrom: 112 | secretKeyRef: 113 | name: {{ .Values.credentials.default.existingSecret }} 114 | key: "password" 115 | {{- else }} 116 | value: {{ .Values.credentials.default.password | quote }} 117 | {{- end }} 118 | - name: TEMPORAL_DB 119 | value: {{ .Values.credentials.default.database | quote }} 120 | - name: TEMPORAL_VISIBILITY_DB 121 | value: {{ .Values.credentials.visibility.database | quote }} 122 | - name: PEERDB_CATALOG_DATABASE 123 | value: {{ .Values.credentials.catalog.database | quote }} 124 | - name: ASSUME_YES 125 | value: "true" 126 | - name: TEMPORAL_DEPLOY_ENABLED 127 | value: {{ .Values.temporal.deploy.enabled | quote }} 128 | volumeMounts: 129 | - mountPath: "/build" 130 | name: "go-build-files" 131 | {{- with .Values.schema.create.resources }} 132 | resources: 133 | {{- toYaml . | nindent 12 }} 134 | {{- end }} 135 | volumes: 136 | - name: "go-source-files" 137 | configMap: 138 | name: {{ include "deploy.schema.create.config.name" . }} 139 | - name: "go-build-files" 140 | emptyDir: {} 141 | {{- end }} -------------------------------------------------------------------------------- /peerdb-catalog/templates/tests/schema-version-test.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.temporal.deploy.enabled }} 2 | {{- $ := . }} 3 | {{- $credentialStore := .Values.credentials }} 4 | {{- $requiredDBVersions := dict "default" "1.12" "visibility" "1.6" }} 5 | {{- range $store := (list "default" "visibility") }} 6 | {{- $storeConfig := index $credentialStore $store }} 7 | --- 8 | apiVersion: v1 9 | kind: Pod 10 | metadata: 11 | name: helm-test-fetch-{{ $store }}-version 12 | annotations: 13 | "helm.sh/hook": test 14 | {{/* "helm.sh/hook-delete-policy": hook-succeeded,hook-failed*/}} 15 | spec: 16 | 17 | {{- with $.Values.common.pods.affinity }} 18 | affinity: 19 | {{- . | toYaml | nindent 4 }} 20 | {{- end }} 21 | {{- with $.Values.common.pods.nodeSelector }} 22 | nodeSelector: 23 | {{- . | toYaml | nindent 4 }} 24 | {{- end }} 25 | {{- with $.Values.common.pods.tolerations }} 26 | tolerations: 27 | {{- . | toYaml | nindent 4 }} 28 | {{- end }} 29 | {{- with $.Values.common.pods.imagePullSecrets }} 30 | imagePullSecrets: 31 | {{- . | toYaml | nindent 6 }} 32 | {{- end }} 33 | containers: 34 | - name: fetch-{{ $store }}-version 35 | image: "{{ $.Values.schema.test.image.repository }}:{{ $.Values.schema.test.image.tag }}" 36 | imagePullPolicy: Always 37 | 38 | command: 39 | - bash 40 | - -c 41 | - | 42 | psql -t "host=$(PG_HOST) port=$(PG_PORT) dbname=$(PG_DB) password=$(PG_PASS) user=$(PG_USER)" -c "SELECT * FROM schema_version WHERE curr_version='$(DB_REQUIRED_VERSION)' AND db_name='$(PG_DB)'" | egrep . || (echo "Version=$(DB_REQUIRED_VERSION) not found for $(PG_DB)" && exit 1) 43 | env: 44 | - name: PG_HOST 45 | value: {{ $credentialStore.pgHost}} 46 | - name: PG_PORT 47 | value: {{ $credentialStore.pgPort | quote }} 48 | - name: PG_USER 49 | value: {{ $storeConfig.user }} 50 | - name: PG_DB 51 | value: {{ $storeConfig.database }} 52 | {{- if (or $storeConfig.password $storeConfig.existingSecret) }} 53 | - name: PG_PASS 54 | {{- if $storeConfig.existingSecret }} 55 | valueFrom: 56 | secretKeyRef: 57 | name: {{ $storeConfig.existingSecret }} 58 | key: "password" 59 | {{- else }} 60 | value: {{ $storeConfig.password }} 61 | {{- end }} 62 | {{- end }} 63 | - name: DB_REQUIRED_VERSION 64 | value: {{ index $requiredDBVersions $store | quote }} 65 | restartPolicy: Never 66 | {{- end }} 67 | {{- end }} -------------------------------------------------------------------------------- /peerdb-catalog/values.customer.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PeerDB-io/peerdb-enterprise/d513f4c4a8e8f2d5ebe433e40e39af2c632437a2/peerdb-catalog/values.customer.yaml -------------------------------------------------------------------------------- /peerdb-catalog/values.yaml: -------------------------------------------------------------------------------- 1 | credentials: 2 | default: 3 | user: _TEMPORAL_DEFAULT_USER_ 4 | password: _TEMPORAL_DEFAULT_PASSWORD_ 5 | database: _TEMPORAL_DEFAULT_DATABASE_ 6 | # -- Use an existing secret for the temporal default user. Use this when saving credentials to values.yaml is not desired 7 | existingSecret: "" 8 | existingSecretEnabledFields: 9 | # -- Whether to use the user field from the existing secret 10 | user: false 11 | 12 | visibility: 13 | user: _TEMPORAL_VISIBILITY_USER_ 14 | password: _TEMPORAL_VISIBILITY_PASSWORD_ 15 | database: _TEMPORAL_VISIBILITY_DATABASE_ 16 | # -- Use an existing secret for the temporal visibility user. Use this when saving credentials to values.yaml is not desired 17 | existingSecret: "" 18 | existingSecretEnabledFields: 19 | # -- Whether to use the user field from the existing secret 20 | user: false 21 | 22 | admin: 23 | user: _TEMPORAL_ADMIN_USER_ 24 | password: _TEMPORAL_ADMIN_PASSWORD_ 25 | database: _TEMPORAL_ADMIN_DATABASE_ 26 | # -- Use an existing secret for the temporal admin user. Use this when saving credentials to values.yaml is not desired 27 | existingSecret: "" 28 | existingSecretEnabledFields: 29 | # -- Whether to use the user field from the existing secret 30 | user: false 31 | 32 | catalog: 33 | database: _CATALOG_DATABASE_ 34 | pgHost: _PG_HOST_ 35 | pgPort: _PG_PORT_ 36 | secretName: _CATALOG_DB_MANUAL_CREDS_NAME_ 37 | ssl: 38 | enabled: _TEMPORAL_SSL_MODE_ 39 | type: _ 40 | path: _TEMPORAL_SSL_CA_CERT_PATH_ 41 | # -- Use an existing secret for the catalog ssl certificate to use for catalog. Generally used when a custom SSL certificate is needed 42 | existingSecret: "" 43 | 44 | # pgUser: _PG_USER_ 45 | # pgPassword: _PG_PASSWORD_ 46 | # pgDatabase: _PG_DATABASE_ 47 | # pgAdminDatabase: _PG_ADMIN_DATABASE_ 48 | 49 | deploy: 50 | enabled: true 51 | version: 15 52 | replicaCount: 3 53 | clusterName: _PG_CLUSTER_NAME_ 54 | user: 55 | # Maybe make this more restrictive, but migrations are run on startup 56 | options: "SUPERUSER" 57 | instance: 58 | volume: 59 | resources: 60 | requests: 61 | # -- Storage size for the catalog instance, refer to Crunchy PGO for more details 62 | storage: 128Gi 63 | backups: 64 | volume: 65 | resources: 66 | requests: 67 | # -- Storage size for the catalog backups, refer to Crunchy PGO for more details 68 | storage: 384Gi 69 | resources: 70 | requests: 71 | cpu: 2 72 | memory: 2Gi 73 | limits: 74 | cpu: 2 75 | memory: 2Gi 76 | 77 | schema: 78 | create: 79 | # -- Whether to create the databases required for catalog, temporal. It is not used in case of in-cluster catalog, as init.sql is used on startup 80 | enabled: true 81 | resources: 82 | requests: 83 | cpu: 0.5 84 | memory: 512Mi 85 | limits: 86 | cpu: 0.5 87 | memory: 512Mi 88 | setup: 89 | hook: 90 | enabled: false 91 | # -- Whether to enable the schema setup job for temporal, it is recommended to have it enabled 92 | enabled: true 93 | backoffLimit: 100 94 | debug: false 95 | pods: 96 | init: 97 | image: 98 | repository: golang 99 | tag: alpine 100 | schemaCreate: 101 | repository: alpine 102 | tag: latest 103 | update: 104 | hook: 105 | enabled: true 106 | type: "pre-upgrade" 107 | # -- Whether to enable the schema update job for temporal, it is recommended to have it enabled 108 | enabled: true 109 | backoffLimit: 100 110 | test: 111 | image: 112 | repository: postgres 113 | tag: latest 114 | resources: 115 | requests: 116 | cpu: 0.5 117 | memory: 512Mi 118 | limits: 119 | cpu: 0.5 120 | memory: 512Mi 121 | 122 | temporal: 123 | deploy: 124 | enabled: true 125 | tls: 126 | enabled: _TEMPORAL_SSL_MODE_ 127 | admintools: 128 | image: 129 | repository: temporalio/admin-tools 130 | # -- This should be set from the helm values for temporal dependency from the main chart 131 | tag: 1.24.2.1-tctl-1.18.1-cli-0.13.2 132 | pullPolicy: IfNotPresent 133 | 134 | 135 | 136 | pgo: 137 | singleNamespace: true 138 | resources: 139 | controller: 140 | requests: 141 | cpu: 1 142 | memory: 512Mi 143 | ephemeral-storage: 1Gi 144 | limits: 145 | cpu: 1 146 | memory: 512Mi 147 | ephemeral-storage: 2Gi 148 | debug: true 149 | disable_check_for_upgrades: false 150 | patroni: 151 | allowed_cidr: 152 | - 0.0.0.0/0 153 | 154 | common: 155 | pods: 156 | # -- node selector that will be applied to all the catalog related services additively 157 | nodeSelector: { } 158 | # -- tolerations that will be applied to all the catalog related services additively 159 | tolerations: [ ] 160 | # -- affinity that will be applied to all the catalog related services additively 161 | affinity: { } 162 | # -- image pull secrets that will be applied to all the catalog related services additively 163 | imagePullSecrets: [] 164 | 165 | global: 166 | peerdb: 167 | enterprise: 168 | # -- Whether to save customer values as a kubernetes secret for backup, pulled from `SAVE_VALUES_AS_SECRET` from .env 169 | saveCustomerValuesAsSecret: _SAVE_VALUES_AS_SECRET_ 170 | -------------------------------------------------------------------------------- /peerdb/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | peerdb-pg-setup -------------------------------------------------------------------------------- /peerdb/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: peerdb 3 | description: Install PeerDB along with Temporal. 4 | maintainers: 5 | - name: PeerDB Inc. 6 | url: https://peerdb.io/ 7 | - name: Kunal Gupta 8 | email: kunal@peerdb.io 9 | dependencies: 10 | - name: pyroscope 11 | repository: https://grafana.github.io/helm-charts 12 | version: 1.0.3 13 | condition: pyroscope.enabled 14 | - name: temporal 15 | repository: https://go.temporal.io/helm-charts 16 | version: 0.44.0 17 | alias: temporal-deploy 18 | condition: temporal.deploy.enabled 19 | - name: datadog 20 | version: 3.52.0 21 | repository: https://helm.datadoghq.com 22 | alias: datadog 23 | condition: datadog.enabled 24 | type: application 25 | # This is the chart version. This version number should be incremented each time you make changes 26 | # to the chart and its templates, including the app version. 27 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 28 | version: 0.8.0 29 | # This is the version number of the application being deployed. This version number should be 30 | # incremented each time you make changes to the application. Versions are not expected to 31 | # follow Semantic Versioning. They should reflect the version the application is using. 32 | # It is recommended to use it with quotes. 33 | appVersion: "v0.22.1" 34 | -------------------------------------------------------------------------------- /peerdb/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{- if .Values.authentication.enabled -}} 2 | Since you have authentication enabled, please add DNS entries starting with {{ if .Values.temporal.deploy.enabled }}`temporal.`{{ end }}, `peerdb.` and `peerdb-ui.` pointing to the LoadBalancer IP/CNAME for {{ include "authentication.service.name" . }} 3 | {{- end -}} -------------------------------------------------------------------------------- /peerdb/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "peerdb.name" -}} 2 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 3 | {{- end -}} 4 | 5 | {{- define "catalog.secretName" -}} 6 | {{- if .Values.catalog.existingSecret -}} 7 | {{- .Values.catalog.existingSecret }} 8 | {{- else -}} 9 | {{- .Values.catalog.credentialsSecretName }} 10 | {{- end -}} 11 | {{- end -}} 12 | 13 | {{- define "catalog.deployed.secretName" -}} 14 | {{ printf "%s-%s-%s" (.Values.catalog.deploy.clusterName) "pguser" (.Values.catalog.pgUser) }} 15 | {{- end -}} 16 | 17 | {{- define "catalog.secretNameToUse" -}} 18 | {{- if .Values.catalog.deploy.enabled -}} 19 | {{/* The secret with given keys is auto-generated by the operator if we seek to use it, else we create ourselves*/}} 20 | {{- include "catalog.deployed.secretName" . -}} 21 | {{- else -}} 22 | {{- include "catalog.secretName" . -}} 23 | {{- end -}} 24 | {{- end -}} 25 | 26 | {{- define "catalog.pgConf" -}} 27 | {{- $secretNameToUse := include "catalog.secretNameToUse" . }} 28 | - name: PEERDB_CATALOG_HOST 29 | valueFrom: 30 | secretKeyRef: 31 | name: {{ $secretNameToUse }} 32 | key: host 33 | - name: PEERDB_CATALOG_PORT 34 | valueFrom: 35 | secretKeyRef: 36 | name: {{ $secretNameToUse }} 37 | key: port 38 | - name: PEERDB_CATALOG_USER 39 | valueFrom: 40 | secretKeyRef: 41 | name: {{ $secretNameToUse }} 42 | key: user 43 | - name: PEERDB_CATALOG_PASSWORD 44 | valueFrom: 45 | secretKeyRef: 46 | name: {{ $secretNameToUse }} 47 | key: password 48 | - name: PEERDB_CATALOG_DATABASE 49 | valueFrom: 50 | secretKeyRef: 51 | name: {{ $secretNameToUse }} 52 | key: dbname 53 | - name: DATABASE_URL 54 | valueFrom: 55 | secretKeyRef: 56 | name: {{ $secretNameToUse }} 57 | key: uri 58 | {{- end -}} 59 | 60 | 61 | {{- define "temporal.config" -}} 62 | - name: TEMPORAL_HOST_PORT 63 | value: {{ .Values.temporal.host }}:{{ .Values.temporal.port }} 64 | - name: PEERDB_TEMPORAL_NAMESPACE 65 | value: {{ .Values.temporal.namespace }} 66 | 67 | {{- if not .Values.temporal.deploy.enabled }} 68 | - name: TEMPORAL_CLIENT_CERT 69 | value: {{ .Values.temporal.clientCert }} 70 | - name: TEMPORAL_CLIENT_KEY 71 | value: {{ .Values.temporal.clientKey }} 72 | {{- end }} 73 | - name: PEERDB_DEPLOYMENT_UID 74 | value: {{ .Values.temporal.taskQueueId }} 75 | {{- end -}} 76 | 77 | {{- define "aws.config" -}} 78 | {{- if .Values.aws.accessKeyId }} 79 | - name: AWS_ACCESS_KEY_ID 80 | value: {{ .Values.aws.accessKeyId | quote }} 81 | {{- end }} 82 | {{- if .Values.aws.secretAccessKey }} 83 | - name: AWS_SECRET_ACCESS_KEY 84 | value: {{ .Values.aws.secretAccessKey | quote }} 85 | {{- end }} 86 | {{- if .Values.aws.region }} 87 | - name: AWS_REGION 88 | value: {{ .Values.aws.region | quote }} 89 | {{- end }} 90 | {{- end -}} 91 | 92 | 93 | {{- define "authentication.labels" -}} 94 | app.kubernetes.io/name: {{ include "authentication.deploy.name" . }} 95 | app.kubernetes.io/instance: {{ .Release.Name }} 96 | {{- end -}} 97 | {{- define "authentication.selectorLabels" -}} 98 | {{ include "authentication.labels" . }} 99 | {{- end -}} 100 | 101 | {{- define "authentication.deploy.name" -}} 102 | authentication-proxy 103 | {{- end -}} 104 | {{- define "authentication.service.name" -}} 105 | authentication-proxy 106 | {{- end -}} 107 | {{- define "authentication.config.name" -}} 108 | {{- include "authentication.deploy.name" . }}-nginx-config 109 | {{- end -}} 110 | {{- define "authentication.healthcheck.config.name" -}} 111 | {{- include "authentication.deploy.name" . }}-healthcheck-config 112 | {{- end -}} 113 | 114 | {{- define "authentication.secret.name" -}} 115 | {{- include "authentication.deploy.name" . }}-htpasswd 116 | {{- end -}} 117 | 118 | {{- define "extract.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution" }} 119 | {{ dict "result" (index (index . "nodeAffinity" | default dict) "preferredDuringSchedulingIgnoredDuringExecution" | default list) | toYaml }} 120 | {{- end }} 121 | 122 | {{- define "extract.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms" }} 123 | {{ dict "result" (index (index (index . "nodeAffinity" | default dict) "requiredDuringSchedulingIgnoredDuringExecution" | default dict) "nodeSelectorTerms" | default list) | toYaml }} 124 | {{- end }} 125 | 126 | 127 | {{- define "extract.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution" }} 128 | {{ dict "result" (index (index . "podAffinity" | default dict) "preferredDuringSchedulingIgnoredDuringExecution" | default list) | toYaml }} 129 | {{- end }} 130 | 131 | {{- define "extract.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution" }} 132 | {{ dict "result" (index (index . "podAffinity" | default dict) "requiredDuringSchedulingIgnoredDuringExecution" | default list) | toYaml }} 133 | {{- end }} 134 | 135 | {{- define "extract.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution" }} 136 | {{ dict "result" (index (index . "podAntiAffinity" | default dict) "preferredDuringSchedulingIgnoredDuringExecution" | default list) | toYaml }} 137 | {{- end }} 138 | 139 | {{- define "extract.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution" }} 140 | {{ dict "result" (index (index . "podAntiAffinity" | default dict) "requiredDuringSchedulingIgnoredDuringExecution" | default list) | toYaml }} 141 | {{- end }} 142 | 143 | {{- define "pods.affinity" -}} 144 | {{- $ := index . 0 }} 145 | {{- $service := index . 1 }} 146 | {{- $commonAffinity := $.Values.common.pods.affinity }} 147 | {{- $lowCostAffinity := dict }} 148 | {{- if (index (index $.Values $service) "lowCost") }} 149 | {{- $lowCostAffinity = $.Values.global.peerdb.lowCost.affinity }} 150 | {{- end }} 151 | {{- $specificAffinity := index (index (index $.Values $service) "pods") "affinity" }} 152 | 153 | {{/*We will deep merge the following from common, lowCost and specific information of the deployment*/}} 154 | {{- $nodeAffinity_preferredDuringSchedulingIgnoredDuringExecution := list }} 155 | {{- $nodeAffinity_requiredDuringSchedulingIgnoredDuringExecution_nodeSelectorTerms := list }} 156 | {{- $podAffinity_preferredDuringSchedulingIgnoredDuringExecution := list }} 157 | {{- $podAffinity_requiredDuringSchedulingIgnoredDuringExecution := list }} 158 | {{- $podAntiAffinity_preferredDuringSchedulingIgnoredDuringExecution := list }} 159 | {{- $podAntiAffinity_requiredDuringSchedulingIgnoredDuringExecution := list }} 160 | 161 | {{- range $affinitySpec := list $commonAffinity $lowCostAffinity $specificAffinity }} 162 | {{- $nodeAffinity_preferredDuringSchedulingIgnoredDuringExecution = 163 | concat $nodeAffinity_preferredDuringSchedulingIgnoredDuringExecution 164 | (index (include "extract.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution" $affinitySpec | fromYaml) "result") 165 | }} 166 | {{- $nodeAffinity_requiredDuringSchedulingIgnoredDuringExecution_nodeSelectorTerms = 167 | concat $nodeAffinity_requiredDuringSchedulingIgnoredDuringExecution_nodeSelectorTerms 168 | (index (include "extract.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms" $affinitySpec | fromYaml) "result") 169 | }} 170 | {{- $podAffinity_preferredDuringSchedulingIgnoredDuringExecution = 171 | concat $podAffinity_preferredDuringSchedulingIgnoredDuringExecution 172 | (index (include "extract.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution" $affinitySpec | fromYaml) "result") 173 | }} 174 | {{- $podAffinity_requiredDuringSchedulingIgnoredDuringExecution = 175 | concat $podAffinity_requiredDuringSchedulingIgnoredDuringExecution 176 | (index (include "extract.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution" $affinitySpec | fromYaml) "result") 177 | }} 178 | {{- $podAntiAffinity_preferredDuringSchedulingIgnoredDuringExecution = 179 | concat $podAntiAffinity_preferredDuringSchedulingIgnoredDuringExecution 180 | (index (include "extract.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution" $affinitySpec | fromYaml) "result") 181 | }} 182 | {{- $podAntiAffinity_requiredDuringSchedulingIgnoredDuringExecution = 183 | concat $podAntiAffinity_requiredDuringSchedulingIgnoredDuringExecution 184 | (index (include "extract.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution" $affinitySpec | fromYaml) "result") 185 | }} 186 | {{- end -}} 187 | 188 | affinity: 189 | {{- if or $nodeAffinity_preferredDuringSchedulingIgnoredDuringExecution $nodeAffinity_requiredDuringSchedulingIgnoredDuringExecution_nodeSelectorTerms }} 190 | nodeAffinity: 191 | {{- with $nodeAffinity_preferredDuringSchedulingIgnoredDuringExecution }} 192 | preferredDuringSchedulingIgnoredDuringExecution: 193 | {{- . | toYaml | nindent 6 }} 194 | {{- end }} 195 | requiredDuringSchedulingIgnoredDuringExecution: 196 | {{ with $nodeAffinity_requiredDuringSchedulingIgnoredDuringExecution_nodeSelectorTerms }} 197 | nodeSelectorTerms: 198 | {{- . | toYaml | nindent 8 }} 199 | {{- end }} 200 | {{- end }} 201 | {{- if or $podAffinity_preferredDuringSchedulingIgnoredDuringExecution $podAffinity_requiredDuringSchedulingIgnoredDuringExecution }} 202 | podAffinity: 203 | {{- with $podAffinity_preferredDuringSchedulingIgnoredDuringExecution }} 204 | preferredDuringSchedulingIgnoredDuringExecution: 205 | {{- . | toYaml | nindent 6 }} 206 | {{- end }} 207 | {{- with $podAffinity_requiredDuringSchedulingIgnoredDuringExecution }} 208 | requiredDuringSchedulingIgnoredDuringExecution: 209 | {{- . | toYaml | nindent 6 }} 210 | {{- end }} 211 | {{- end }} 212 | podAntiAffinity: 213 | {{- with $podAntiAffinity_preferredDuringSchedulingIgnoredDuringExecution }} 214 | preferredDuringSchedulingIgnoredDuringExecution: 215 | {{- . | toYaml | nindent 6 }} 216 | {{- end }} 217 | {{- with $podAntiAffinity_requiredDuringSchedulingIgnoredDuringExecution }} 218 | requiredDuringSchedulingIgnoredDuringExecution: 219 | {{- . | toYaml | nindent 6 }} 220 | {{- end }} 221 | {{- end -}} 222 | 223 | {{- define "pods.nodeSelector" }} 224 | {{- $ := index . 0 }} 225 | {{- $service := index . 1 }} 226 | {{- $commonNodeSelector := $.Values.common.pods.nodeSelector }} 227 | {{- $lowCostNodeSelector := dict }} 228 | {{- if (index (index $.Values $service) "lowCost") }} 229 | {{- $lowCostNodeSelector = $.Values.global.peerdb.lowCost.nodeSelector }} 230 | {{- end }} 231 | {{- $specificNodeSelector := index (index (index $.Values $service) "pods") "nodeSelector" }} 232 | {{- $combined := merge dict $commonNodeSelector $lowCostNodeSelector $specificNodeSelector }} 233 | {{- with $combined }} 234 | nodeSelector: 235 | {{- $combined | toYaml | nindent 2 }} 236 | {{- end }} 237 | {{- end }} 238 | 239 | {{- define "pods.tolerations" }} 240 | {{- $ := index . 0 }} 241 | {{- $service := index . 1 }} 242 | {{- $commonTolerations := $.Values.common.pods.tolerations }} 243 | {{- $lowCostTolerations := list }} 244 | {{- if (index (index $.Values $service) "lowCost") }} 245 | {{- $lowCostTolerations = $.Values.global.peerdb.lowCost.tolerations }} 246 | {{- end }} 247 | {{- $specificTolerations := index (index (index $.Values $service) "pods") "tolerations" }} 248 | {{- $combined := concat $commonTolerations $lowCostTolerations $specificTolerations }} 249 | {{- with $combined }} 250 | tolerations: 251 | {{- $combined | toYaml | nindent 4 }} 252 | {{- end }} 253 | {{- end }} 254 | 255 | {{- define "pods.imagePullSecrets" }} 256 | {{- $ := index . 0 }} 257 | {{- $service := index . 1 }} 258 | {{- $commonPullSecrets := $.Values.common.pods.imagePullSecrets }} 259 | {{- $specificPullSecrets := index (index (index $.Values $service) "pods") "imagePullSecrets" | default list }} 260 | {{- $combined := concat $commonPullSecrets $specificPullSecrets }} 261 | {{ with $combined }} 262 | imagePullSecrets: 263 | {{- $combined | toYaml | nindent 4 }} 264 | {{- end }} 265 | {{- end }} 266 | 267 | 268 | 269 | {{- define "azure.config" -}} 270 | {{- if .Values.azure.clientId }} 271 | - name: AZURE_CLIENT_ID 272 | value: {{ .Values.azure.clientId | quote }} 273 | {{- end }} 274 | {{- if .Values.azure.clientSecret }} 275 | - name: AZURE_CLIENT_SECRET 276 | value: {{ .Values.azure.clientSecret | quote }} 277 | {{- end }} 278 | {{- if .Values.azure.subscriptionId }} 279 | - name: AZURE_SUBSCRIPTION_ID 280 | value: {{ .Values.azure.subscriptionId | quote }} 281 | {{- end }} 282 | {{- if .Values.azure.tenantId }} 283 | - name: AZURE_TENANT_ID 284 | value: {{ .Values.azure.tenantId | quote }} 285 | {{- end }} 286 | {{- end -}} 287 | 288 | 289 | {{- define "peerdb.common.selectorLabels" -}} 290 | app.kubernetes.io/name: {{ include "peerdb.name" . }} 291 | app.kubernetes.io/instance: {{ .Release.Name }} 292 | {{- end -}} 293 | 294 | {{- define "peerdb.common.labels" -}} 295 | {{ include "peerdb.common.selectorLabels" .}} 296 | app.kubernetes.io/managed-by: {{ .Release.Service }} 297 | app.kubernetes.io/part-of: {{ .Chart.Name }} 298 | {{- end -}} 299 | 300 | {{- define "component.labels" -}} 301 | app.kubernetes.io/component: {{ . }} 302 | app: {{ . }} 303 | {{- end -}} -------------------------------------------------------------------------------- /peerdb/templates/auth-deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.authentication.enabled -}} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: {{ include "authentication.deploy.name" . }} 6 | labels: 7 | {{- include "authentication.labels" . | nindent 4 }} 8 | spec: 9 | replicas: {{ .Values.authentication.replicaCount }} 10 | selector: 11 | matchLabels: 12 | {{- include "authentication.selectorLabels" . | nindent 6 }} 13 | template: 14 | metadata: 15 | annotations: 16 | checksum/config: {{ include "authentication.config.data" . | sha256sum }} 17 | checksum/secret: {{ include "authentication.secret.data" . | sha256sum }} 18 | checksum/healthcheck: {{ include "authentication.healthcheck.data" . | sha256sum }} 19 | labels: 20 | {{- include "authentication.selectorLabels" . | nindent 8 }} 21 | spec: 22 | {{- if .Values.serviceAccount.name }} 23 | serviceAccountName: {{ .Values.serviceAccount.name }} 24 | {{- end }} 25 | terminationGracePeriodSeconds: {{ default 60 .Values.authentication.terminationGracePeriodSeconds }} 26 | 27 | containers: 28 | - name: nginx 29 | image: "{{ .Values.authentication.image.repository }}:{{ .Values.authentication.image.tag }}" 30 | imagePullPolicy: {{ .Values.authentication.image.pullPolicy }} 31 | volumeMounts: 32 | - mountPath: "/etc/nginx" 33 | name: "authentication-config" 34 | - mountPath: "/secrets/htpasswd" 35 | name: "authentication-htpasswd" 36 | - mountPath: "/healthcheck" 37 | name: "authentication-healthcheck" 38 | ports: 39 | - containerPort: {{ .Values.authentication.service.targetPort }} 40 | name: http 41 | - containerPort: {{ .Values.peerdb.service.port }} 42 | name: peerdb 43 | livenessProbe: 44 | exec: 45 | command: 46 | - /bin/bash 47 | - /healthcheck/health.sh 48 | initialDelaySeconds: 10 49 | periodSeconds: 3 50 | timeoutSeconds: 60 51 | failureThreshold: 3 52 | terminationGracePeriodSeconds: 30 53 | readinessProbe: 54 | exec: 55 | command: 56 | - /bin/bash 57 | - /healthcheck/health.sh 58 | initialDelaySeconds: 10 59 | periodSeconds: 5 60 | timeoutSeconds: 180 61 | failureThreshold: 3 62 | {{- with .Values.authentication.resources }} 63 | resources: {{ toYaml . | nindent 12 }} 64 | {{- end }} 65 | volumes: 66 | - name: "authentication-config" 67 | configMap: 68 | name: {{ include "authentication.config.name" . }} 69 | - name: "authentication-htpasswd" 70 | secret: 71 | secretName: {{ include "authentication.secret.name" . }} 72 | - name: "authentication-healthcheck" 73 | configMap: 74 | name: {{ include "authentication.healthcheck.config.name" . }} 75 | {{- end -}} 76 | -------------------------------------------------------------------------------- /peerdb/templates/auth-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.authentication.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "authentication.service.name" . }} 6 | annotations: 7 | {{- .Values.authentication.service.annotations | toYaml | nindent 4 }} 8 | spec: 9 | selector: 10 | {{- include "authentication.labels" . | nindent 4 }} 11 | {{- if not (eq .Values.authentication.service.type "LoadBalancer") }} 12 | sessionAffinity: ClientIP 13 | {{- end }} 14 | ports: 15 | - protocol: TCP 16 | port: {{ .Values.authentication.service.port }} 17 | targetPort: {{ .Values.authentication.service.targetPort }} 18 | name: http 19 | - protocol: TCP 20 | port: {{ .Values.peerdb.service.port }} 21 | targetPort: {{ .Values.peerdb.service.targetPort }} 22 | name: peerdb 23 | type: {{ .Values.authentication.service.type }} 24 | {{- end -}} 25 | -------------------------------------------------------------------------------- /peerdb/templates/authentication-healthcheck-config.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.authentication.enabled -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ include "authentication.healthcheck.config.name" . }} 6 | labels: 7 | {{- include "authentication.labels" . | nindent 4 }} 8 | data: 9 | health.sh: | 10 | {{ include "authentication.healthcheck.data" . | nindent 4 }} 11 | {{- end -}} 12 | -------------------------------------------------------------------------------- /peerdb/templates/authentication-htpasswd-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.authentication.enabled -}} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "authentication.secret.name" . }} 6 | labels: 7 | {{- include "authentication.labels" . | nindent 4 }} 8 | stringData: 9 | htpasswd: | 10 | {{ include "authentication.secret.data" . | nindent 4 }} 11 | {{- end -}} 12 | -------------------------------------------------------------------------------- /peerdb/templates/authentication-nginx-config.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.authentication.enabled -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ include "authentication.config.name" . }} 6 | labels: 7 | {{- include "authentication.labels" . | nindent 4 }} 8 | data: 9 | nginx.conf: | 10 | {{ include "authentication.config.data" . | nindent 4 }} 11 | {{- end -}} 12 | -------------------------------------------------------------------------------- /peerdb/templates/authentication/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "authentication.peerdb-ui.service.fqdn-with-port" -}} 2 | peerdb-ui.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.peerdbUI.service.port }} 3 | {{- end -}} 4 | 5 | {{- define "authentication.peerdb.service.fqdn-with-port" -}} 6 | {{ .Values.peerdb.service.name }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.peerdb.service.port }} 7 | {{- end -}} 8 | 9 | {{- define "authentication.temporal.service.fqdn-with-port" -}} 10 | {{ .Values.temporal.releaseName }}-web.{{ .Release.Namespace }}.svc.cluster.local:8080 11 | {{- end -}} 12 | -------------------------------------------------------------------------------- /peerdb/templates/authentication/healthcheck.sh.tmpl: -------------------------------------------------------------------------------- 1 | {{- define "authentication.healthcheck.data" -}} 2 | 3 | #!/usr/bin/env bash 4 | 5 | {{/*# Enables healthcheck to all backends*/}} 6 | {{/*curl -fsS --fail-early --max-time {{ .Values.authentication.healthcheck.script.timeoutSeconds | quote }} --parallel \*/}} 7 | {{/* "http://localhost:{{- .Values.authentication.service.targetPort -}}{{- .Values.authentication.healthcheck.path }}" \*/}} 8 | {{/* "{{ include "authentication.peerdb-ui.service.fqdn-with-port" . }}" \*/}} 9 | {{/* "{{ include "authentication.temporal.service.fqdn-with-port" . }}"*/}} 10 | 11 | # TODO add healthcheck for peerdb nginx TCP proxy 12 | # Checks only the current nginx backend 13 | curl -fsS --fail-early --max-time {{ .Values.authentication.healthcheck.script.timeoutSeconds | quote }} --parallel \ 14 | "http://localhost:{{- .Values.authentication.service.targetPort -}}{{- .Values.authentication.healthcheck.path }}" # "http://localhost:{{- .Values.peerdb.service.targetPort -}}{{- .Values.authentication.healthcheck.path }}" 15 | 16 | 17 | {{- end -}} 18 | -------------------------------------------------------------------------------- /peerdb/templates/authentication/httpaswd.tmpl: -------------------------------------------------------------------------------- 1 | {{- define "authentication.secret.data" -}} 2 | {{- if .Values.authentication.enabled }} 3 | {{- $_ := required "Authentication username is a required value at (authentication.credentials.username)" .Values.authentication.credentials.username }} 4 | {{- $__ := required "Authentication password is a required value at (authentication.credentials.password)" .Values.authentication.credentials.password }} 5 | {{- end -}} 6 | {{ htpasswd .Values.authentication.credentials.username .Values.authentication.credentials.password }} 7 | {{- end -}} 8 | -------------------------------------------------------------------------------- /peerdb/templates/authentication/nginx.conf.tpl: -------------------------------------------------------------------------------- 1 | {{- define "authentication.config.data" -}} 2 | events { 3 | worker_connections 4096; 4 | } 5 | 6 | http { 7 | resolver kube-dns.kube-system.svc.cluster.local valid=10s; # Verify resolution works 8 | # TODO remove port hardcoding for temporal once we have unified chart 9 | map $http_host $backend_service { 10 | {{ .Values.authentication.backendService.peerdbUi.hostPattern | default `~^peerdb-ui\..*` }} "{{- include "authentication.peerdb-ui.service.fqdn-with-port" . -}}"; 11 | {{- if .Values.temporal.deploy.enabled }} 12 | {{ .Values.authentication.backendService.temporal.hostPattern | default `~^temporal\..*` }} "{{- include "authentication.temporal.service.fqdn-with-port" . -}}"; 13 | {{- end }} 14 | } 15 | 16 | access_log /dev/stdout combined; 17 | error_log /dev/stdout; 18 | server { 19 | listen {{ .Values.authentication.service.targetPort }}; 20 | root /usr/share/nginx/html; 21 | location / { 22 | auth_basic "Authentication required"; 23 | auth_basic_user_file /secrets/htpasswd/htpasswd; 24 | 25 | proxy_pass http://$backend_service; 26 | } 27 | location = {{ .Values.authentication.healthcheck.path }} { 28 | access_log off; 29 | add_header 'Content-Type' 'application/json'; 30 | return 200 '{"status":"UP"}'; 31 | } 32 | } 33 | 34 | } 35 | 36 | stream { 37 | log_format basic '$remote_addr [$time_local] ' 38 | '$protocol $status $bytes_sent $bytes_received ' 39 | '$session_time'; 40 | access_log /dev/stdout basic; 41 | error_log /dev/stdout; 42 | server { 43 | listen {{ .Values.peerdb.service.port }}; 44 | proxy_pass "{{- include "authentication.peerdb.service.fqdn-with-port" . -}}"; 45 | # TODO take a look at TCP healthcheck 46 | {{/* location = {{ .Values.authentication.healthcheck.path }} {*/}} 47 | {{/* access_log off;*/}} 48 | {{/* add_header 'Content-Type' 'application/json';*/}} 49 | {{/* return 200 '{"status":"UP"}';*/}} 50 | {{/* }*/}} 51 | } 52 | 53 | } 54 | 55 | {{- end -}} 56 | -------------------------------------------------------------------------------- /peerdb/templates/catalog-secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not .Values.catalog.deploy.enabled) (not .Values.catalog.existingSecret) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "catalog.secretName" . }} 6 | labels: 7 | {{- include "peerdb.common.labels" . | nindent 4 }} 8 | stringData: 9 | host: {{ .Values.catalog.pgHost | quote }} 10 | port: {{ .Values.catalog.pgPort | quote }} 11 | user: {{ .Values.catalog.pgUser | quote }} 12 | password: {{ .Values.catalog.pgPassword | quote }} 13 | dbname: {{ .Values.catalog.pgDatabase | quote }} 14 | uri: "postgres://{{ .Values.catalog.pgUser }}:{{ .Values.catalog.pgPassword }}@{{ .Values.catalog.pgHost }}:{{ .Values.catalog.pgPort }}/{{ .Values.catalog.pgDatabase }}" 15 | {{- end }} -------------------------------------------------------------------------------- /peerdb/templates/customer-values-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.peerdb.enterprise.saveCustomerValuesAsSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: values-customer-peerdb 6 | labels: 7 | {{- include "peerdb.common.labels" . | nindent 4 }} 8 | stringData: 9 | "peerdb.values.customer.yaml" : | 10 | {{ .Files.Get "values.customer.yaml" | indent 4 }} 11 | {{- end }} -------------------------------------------------------------------------------- /peerdb/templates/flow-api-deployment.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.flowApi.enabled -}} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: flow-api 6 | labels: 7 | {{- include "component.labels" "flow-api" | nindent 4 }} 8 | {{- include "peerdb.common.labels" . | nindent 4 }} 9 | {{- with .Values.flowApi.deployment.labels }} 10 | {{ . | toYaml | nindent 4 }} 11 | {{- end }} 12 | annotations: 13 | {{- with .Values.flowApi.deployment.annotations }} 14 | {{ . | toYaml | nindent 4 }} 15 | {{- end }} 16 | spec: 17 | replicas: {{ .Values.flowApi.replicaCount }} 18 | selector: 19 | matchLabels: 20 | {{- include "component.labels" "flow-api" | nindent 6 }} 21 | {{- include "peerdb.common.selectorLabels" . | nindent 6 }} 22 | template: 23 | metadata: 24 | labels: 25 | {{- include "component.labels" "flow-api" | nindent 8 }} 26 | {{- include "peerdb.common.labels" . | nindent 8 }} 27 | {{- with .Values.flowApi.pods.labels }} 28 | {{ . | toYaml | nindent 8 }} 29 | {{- end }} 30 | annotations: 31 | {{- with .Values.flowApi.pods.annotations }} 32 | {{ . | toYaml | nindent 8 }} 33 | {{- end }} 34 | spec: 35 | {{- if .Values.serviceAccount.name }} 36 | serviceAccountName: {{ .Values.serviceAccount.name }} 37 | {{- end }} 38 | terminationGracePeriodSeconds: {{ default 60 .Values.flowWorker.terminationGracePeriodSeconds }} 39 | {{- include "pods.affinity" (list $ "flowApi") | nindent 6 }} 40 | {{- include "pods.nodeSelector" (list $ "flowApi") | nindent 6 }} 41 | {{- include "pods.tolerations" (list $ "flowApi") | nindent 6 }} 42 | {{- include "pods.imagePullSecrets" (list $ "flowApi") | nindent 6 }} 43 | 44 | containers: 45 | - name: flow-api 46 | image: "{{ .Values.flowApi.image.repository }}:{{ .Values.flowApi.version | default .Values.peerdb.version }}" 47 | imagePullPolicy: {{ .Values.flowApi.image.pullPolicy }} 48 | ports: 49 | - containerPort: {{ .Values.flowApi.service.targetPort }} 50 | name: api 51 | - containerPort: {{ .Values.flowApi.service.targetHttpPort }} 52 | name: http 53 | env: 54 | {{- include "catalog.pgConf" . | nindent 8 }} 55 | {{- include "aws.config" . | nindent 8 }} 56 | {{- include "temporal.config" . | nindent 8 }} 57 | {{- with .Values.flowApi.extraEnv -}} 58 | {{ . | toYaml | nindent 8}} 59 | {{- end }} 60 | - name: GIN_MODE 61 | value: release 62 | livenessProbe: 63 | grpc: 64 | port: {{ .Values.flowApi.service.targetPort }} 65 | initialDelaySeconds: 10 66 | periodSeconds: 3 67 | timeoutSeconds: 60 68 | failureThreshold: 3 69 | terminationGracePeriodSeconds: 30 70 | readinessProbe: 71 | grpc: 72 | port: {{ .Values.flowApi.service.targetPort }} 73 | initialDelaySeconds: 10 74 | periodSeconds: 5 75 | timeoutSeconds: 180 76 | failureThreshold: 3 77 | 78 | {{- with .Values.flowApi.resources }} 79 | resources: {{ toYaml . | nindent 10 }} 80 | {{- end }} 81 | {{- end -}} -------------------------------------------------------------------------------- /peerdb/templates/flow-api-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.flowApi.service.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: flow-api 6 | annotations: 7 | {{- .Values.flowApi.service.annotations | toYaml | nindent 4 }} 8 | labels: 9 | {{- include "component.labels" "flow-api" | nindent 4 }} 10 | {{- include "peerdb.common.labels" . | nindent 4 }} 11 | spec: 12 | selector: 13 | {{- include "component.labels" "flow-api" | nindent 4 }} 14 | {{- include "peerdb.common.selectorLabels" . | nindent 4 }} 15 | ports: 16 | - protocol: TCP 17 | port: {{ .Values.flowApi.service.port }} 18 | targetPort: {{ .Values.flowApi.service.targetPort }} 19 | name: grpc-api 20 | - protocol: TCP 21 | port: {{ .Values.flowApi.service.httpPort }} 22 | targetPort: {{ .Values.flowApi.service.targetHttpPort }} 23 | name: http-api 24 | 25 | type: {{ .Values.flowApi.service.type }} 26 | {{- end -}} -------------------------------------------------------------------------------- /peerdb/templates/flow-snapshot-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.flowSnapshotWorker.service.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: flow-snapshot-service 6 | labels: 7 | {{- include "component.labels" "flow-snapshot-worker" | nindent 4 }} 8 | {{- include "peerdb.common.labels" . | nindent 4 }} 9 | annotations: 10 | {{- .Values.flowSnapshotWorker.service.annotations | toYaml | nindent 4 }} 11 | spec: 12 | clusterIP: None 13 | selector: 14 | {{- include "component.labels" "flow-snapshot-worker" | nindent 4 }} 15 | {{- include "peerdb.common.selectorLabels" . | nindent 4 }} 16 | {{- end -}} -------------------------------------------------------------------------------- /peerdb/templates/flow-snapshot-worker-stateful-set.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.flowSnapshotWorker.enabled -}} 2 | apiVersion: apps/v1 3 | kind: StatefulSet 4 | metadata: 5 | name: flow-snapshot-worker 6 | labels: 7 | {{- include "component.labels" "flow-snapshot-worker" | nindent 4 }} 8 | {{- include "peerdb.common.labels" . | nindent 4 }} 9 | {{- with .Values.flowSnapshotWorker.statefulSet.labels }} 10 | {{ . | toYaml | nindent 4 }} 11 | {{- end }} 12 | annotations: 13 | {{- with .Values.flowSnapshotWorker.statefulSet.annotations }} 14 | {{ . | toYaml | nindent 4 }} 15 | {{- end }} 16 | spec: 17 | serviceName: "flow-snapshot-service" 18 | replicas: {{ .Values.flowSnapshotWorker.replicaCount }} 19 | selector: 20 | matchLabels: 21 | {{- include "component.labels" "flow-snapshot-worker" | nindent 6 }} 22 | {{- include "peerdb.common.selectorLabels" . | nindent 6 }} 23 | template: 24 | metadata: 25 | labels: 26 | {{- include "component.labels" "flow-snapshot-worker" | nindent 8 }} 27 | {{- include "peerdb.common.labels" . | nindent 8 }} 28 | {{- with .Values.flowSnapshotWorker.pods.labels }} 29 | {{ . | toYaml | nindent 8 }} 30 | {{- end }} 31 | annotations: 32 | {{- with .Values.flowSnapshotWorker.pods.annotations }} 33 | {{ . | toYaml | nindent 8 }} 34 | {{- end }} 35 | spec: 36 | {{- if .Values.serviceAccount.name }} 37 | serviceAccountName: {{ .Values.serviceAccount.name }} 38 | {{- end }} 39 | terminationGracePeriodSeconds: {{ default 600 .Values.flowSnapshotWorker.terminationGracePeriodSeconds }} 40 | {{- include "pods.affinity" (list $ "flowSnapshotWorker") | nindent 6 }} 41 | {{- include "pods.nodeSelector" (list $ "flowSnapshotWorker") | nindent 6 }} 42 | {{- include "pods.tolerations" (list $ "flowSnapshotWorker") | nindent 6 }} 43 | {{- include "pods.imagePullSecrets" (list $ "flowSnapshotWorker") | nindent 6 }} 44 | 45 | containers: 46 | - name: flow-snapshot-worker 47 | image: "{{ .Values.flowSnapshotWorker.image.repository }}:{{ .Values.flowSnapshotWorker.version | default .Values.peerdb.version }}" 48 | imagePullPolicy: {{ .Values.flowSnapshotWorker.image.pullPolicy }} 49 | env: 50 | {{- include "catalog.pgConf" . | nindent 8 }} 51 | {{- include "temporal.config" . | nindent 8 }} 52 | {{- with .Values.flowSnapshotWorker.extraEnv -}} 53 | {{ . | toYaml | nindent 8}} 54 | {{- end }} 55 | {{- with .Values.flowSnapshotWorker.resources }} 56 | resources: {{ toYaml . | nindent 10 }} 57 | {{- end }} 58 | {{- end -}} -------------------------------------------------------------------------------- /peerdb/templates/flow-worker-deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.flowWorker.enabled -}} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: flow-worker 6 | labels: 7 | {{- include "component.labels" "flow-worker" | nindent 4 }} 8 | {{- include "peerdb.common.labels" . | nindent 4 }} 9 | {{- with .Values.flowWorker.deployment.labels }} 10 | {{ . | toYaml | nindent 4 }} 11 | {{- end }} 12 | annotations: 13 | {{- with .Values.flowWorker.deployment.annotations }} 14 | {{ . | toYaml | nindent 4 }} 15 | {{- end }} 16 | spec: 17 | replicas: {{ .Values.flowWorker.replicaCount }} 18 | selector: 19 | matchLabels: 20 | {{- include "component.labels" "flow-worker" | nindent 6 }} 21 | {{- include "peerdb.common.selectorLabels" . | nindent 6 }} 22 | template: 23 | metadata: 24 | labels: 25 | {{- include "component.labels" "flow-worker" | nindent 8 }} 26 | {{- include "peerdb.common.labels" . | nindent 8 }} 27 | {{- with .Values.flowWorker.pods.labels }} 28 | {{ . | toYaml | nindent 8 }} 29 | {{- end }} 30 | annotations: 31 | {{- with .Values.flowWorker.pods.annotations }} 32 | {{ . | toYaml | nindent 8 }} 33 | {{- end }} 34 | spec: 35 | {{- if .Values.serviceAccount.name }} 36 | serviceAccountName: {{ .Values.serviceAccount.name }} 37 | {{- end }} 38 | terminationGracePeriodSeconds: {{ default 60 .Values.flowWorker.terminationGracePeriodSeconds }} 39 | {{- include "pods.affinity" (list $ "flowWorker") | nindent 6 }} 40 | {{- include "pods.nodeSelector" (list $ "flowWorker") | nindent 6 }} 41 | {{- include "pods.tolerations" (list $ "flowWorker") | nindent 6 }} 42 | {{- include "pods.imagePullSecrets" (list $ "flowWorker") | nindent 6 }} 43 | containers: 44 | - name: flow-worker 45 | image: "{{ .Values.flowWorker.image.repository }}:{{ .Values.flowWorker.version | default .Values.peerdb.version }}" 46 | imagePullPolicy: {{ .Values.flowWorker.image.pullPolicy }} 47 | env: 48 | {{- include "aws.config" . | nindent 8 }} 49 | {{- include "azure.config" . | nindent 8 }} 50 | {{- include "catalog.pgConf" . | nindent 8 }} 51 | {{- include "temporal.config" . | nindent 8 }} 52 | {{- if .Values.pyroscope.enabled }} 53 | - name: PYROSCOPE_SERVER_ADDRESS 54 | value: 'http://pyroscope:4040' 55 | - name: ENABLE_PROFILING 56 | value: 'true' 57 | {{- end }} 58 | {{- with .Values.flowWorker.extraEnv -}} 59 | {{ . | toYaml | nindent 8}} 60 | {{- end }} 61 | {{- with .Values.flowWorker.resources }} 62 | resources: {{ toYaml . | nindent 10 }} 63 | {{- end }} 64 | {{- end -}} -------------------------------------------------------------------------------- /peerdb/templates/mirror-name-search-attribute-job.yaml: -------------------------------------------------------------------------------- 1 | {{- $temporalValues := index .Values "temporal-deploy" }} 2 | {{- if and .Values.temporal.deploy.enabled .Release.IsInstall }} 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: mirror-name-search-attribute 7 | labels: 8 | {{- include "component.labels" "mirror-name-search-attribute" | nindent 4 }} 9 | {{- include "peerdb.common.labels" . | nindent 4 }} 10 | spec: 11 | backoffLimit: {{ .Values.temporal.deploy.mirrorNameSearchAttribute.backoffLimit }} 12 | template: 13 | metadata: 14 | name: mirror-name-search-attribute 15 | labels: 16 | {{- include "component.labels" "mirror-name-search-attribute" | nindent 8 }} 17 | {{- include "peerdb.common.labels" . | nindent 8 }} 18 | spec: 19 | restartPolicy: "OnFailure" 20 | {{- with .Values.common.pods.affinity }} 21 | affinity: 22 | {{- . | toYaml | nindent 8 }} 23 | {{- end }} 24 | {{- with .Values.common.pods.nodeSelector }} 25 | nodeSelector: 26 | {{- . | toYaml | nindent 8 }} 27 | {{- end }} 28 | {{- with .Values.common.pods.tolerations }} 29 | tolerations: 30 | {{- . | toYaml | nindent 8 }} 31 | {{- end }} 32 | {{- with .Values.common.pods.imagePullSecrets }} 33 | imagePullSecrets: 34 | {{- . | toYaml | nindent 10 }} 35 | {{- end }} 36 | containers: 37 | - name: mirror-name-search-attribute 38 | image: "{{ $temporalValues.admintools.image.repository }}:{{ $temporalValues.admintools.image.tag }}" 39 | imagePullPolicy: {{ $temporalValues.admintools.image.pullPolicy }} 40 | # Refer to https://github.com/PeerDB-io/peerdb/blob/main/scripts/mirror-name-search.sh 41 | command: 42 | - 'sh' 43 | - '-c' 44 | - | 45 | while ! tctl cluster health | grep -q ": SERVING$"; do tctl cluster health; sleep 3; done && (temporal operator search-attribute list | grep -w MirrorName >/dev/null 2>&1) || temporal operator search-attribute create --name MirrorName --type Text --namespace {{ .Values.temporal.namespace }} 46 | env: 47 | - name: TEMPORAL_NAMESPACE 48 | value: {{ .Values.temporal.namespace | quote }} 49 | - name: TEMPORAL_CLI_ADDRESS 50 | value: "{{ .Release.Name }}-temporal-deploy-frontend:{{ $temporalValues.server.frontend.service.port }}" 51 | - name: TEMPORAL_ADDRESS 52 | value: "{{ .Release.Name }}-temporal-deploy-frontend:{{ $temporalValues.server.frontend.service.port }}" 53 | {{- with .Values.temporal.deploy.mirrorNameSearchAttribute.resources }} 54 | resources: 55 | {{- toYaml . | nindent 12 }} 56 | {{- end }} 57 | {{- with .Values.temporal.deploy.mirrorNameSearchAttribute.containerSecurityContext }} 58 | securityContext: 59 | {{- toYaml . | nindent 12 }} 60 | {{- end }} 61 | {{- with .Values.temporal.deploy.mirrorNameSearchAttribute.securityContext }} 62 | securityContext: 63 | {{- toYaml . | nindent 8 }} 64 | {{- end }} 65 | --- 66 | {{- end }} -------------------------------------------------------------------------------- /peerdb/templates/peerdb-server-deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.peerdb.enabled -}} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: peerdb-server 6 | labels: 7 | {{- include "component.labels" "peerdb-server" | nindent 4 }} 8 | {{- include "peerdb.common.labels" . | nindent 4 }} 9 | {{- with .Values.peerdb.deployment.labels }} 10 | {{ . | toYaml | nindent 4 }} 11 | {{- end }} 12 | annotations: 13 | {{- with .Values.peerdb.deployment.annotations }} 14 | {{ . | toYaml | nindent 4 }} 15 | {{- end }} 16 | spec: 17 | replicas: {{ .Values.peerdb.replicaCount }} 18 | selector: 19 | matchLabels: 20 | {{- include "component.labels" "peerdb-server" | nindent 6 }} 21 | {{- include "peerdb.common.selectorLabels" . | nindent 6 }} 22 | template: 23 | metadata: 24 | labels: 25 | {{- include "component.labels" "peerdb-server" | nindent 8 }} 26 | {{- include "peerdb.common.labels" . | nindent 8 }} 27 | {{- with .Values.peerdb.pods.labels }} 28 | {{ . | toYaml | nindent 8 }} 29 | {{- end }} 30 | annotations: 31 | {{- with .Values.peerdb.pods.annotations }} 32 | {{ . | toYaml | nindent 8 }} 33 | {{- end }} 34 | spec: 35 | terminationGracePeriodSeconds: {{ default 60 .Values.peerdb.terminationGracePeriodSeconds }} 36 | {{- include "pods.affinity" (list $ "peerdb") | nindent 6 }} 37 | {{- include "pods.nodeSelector" (list $ "peerdb") | nindent 6 }} 38 | {{- include "pods.tolerations" (list $ "peerdb") | nindent 6 }} 39 | {{- include "pods.imagePullSecrets" (list $ "peerdb") | nindent 6 }} 40 | containers: 41 | - name: peerdb-server 42 | image: "{{ .Values.peerdb.image.repository }}:{{ .Values.peerdb.version }}" 43 | imagePullPolicy: {{ .Values.peerdb.image.pullPolicy }} 44 | ports: 45 | - containerPort: {{ .Values.peerdb.service.targetPort }} 46 | name: api 47 | env: 48 | # catalog config 49 | {{- include "catalog.pgConf" . | nindent 8 }} 50 | - name: PEERDB_LOG_DIR 51 | value: {{ .Values.peerdb.env.logDir }} 52 | - name: PEERDB_PASSWORD 53 | valueFrom: 54 | secretKeyRef: 55 | key: SERVER_PEERDB_PASSWORD 56 | name: peerdb-server-ui-secret 57 | # flow server config 58 | - name: PEERDB_FLOW_SERVER_ADDRESS 59 | value: "http://flow-api:{{ .Values.flowApi.service.port }}" 60 | {{- with .Values.peerdb.extraEnv -}} 61 | {{ . | toYaml | nindent 8}} 62 | {{- end }} 63 | livenessProbe: 64 | tcpSocket: 65 | port: api 66 | initialDelaySeconds: 10 67 | periodSeconds: 15 68 | failureThreshold: 3 69 | terminationGracePeriodSeconds: 30 70 | # KISS: this deployment depends on flow-api readiness, auto-resolve readiness wih initialDelay for now 71 | # Use init-container instead: https://stackoverflow.com/questions/51079849/kubernetes-wait-for-other-pod-to-be-ready 72 | readinessProbe: 73 | tcpSocket: 74 | port: api 75 | initialDelaySeconds: 10 76 | periodSeconds: 15 77 | failureThreshold: 3 78 | 79 | {{- with .Values.peerdb.resources }} 80 | resources: {{ toYaml . | nindent 10 }} 81 | {{- end }} 82 | {{- end -}} -------------------------------------------------------------------------------- /peerdb/templates/peerdb-server-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.peerdb.service.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ .Values.peerdb.service.name }} 6 | labels: 7 | {{- include "component.labels" "peerdb-server" | nindent 4 }} 8 | {{- include "peerdb.common.labels" . | nindent 4 }} 9 | annotations: 10 | {{- .Values.peerdb.service.annotations | toYaml | nindent 4 }} 11 | # annotations: 12 | # service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600" 13 | # service.beta.kubernetes.io/azure-load-balancer-idle-timeout: "3600" 14 | spec: 15 | type: {{ .Values.peerdb.service.type }} 16 | ports: 17 | - port: {{ .Values.peerdb.service.port }} 18 | targetPort: {{ .Values.peerdb.service.targetPort }} 19 | protocol: TCP 20 | selector: 21 | {{- include "component.labels" "peerdb-server" | nindent 4 }} 22 | {{- include "peerdb.common.selectorLabels" . | nindent 4 }} 23 | {{- end }} -------------------------------------------------------------------------------- /peerdb/templates/peerdb-server-ui-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: peerdb-server-ui-secret 5 | labels: 6 | {{- include "peerdb.common.labels" . | nindent 4 }} 7 | stringData: 8 | UI_PEERDB_PASSWORD: '{{ .Values.peerdbUI.credentials.password }}' 9 | SERVER_PEERDB_PASSWORD: '{{ .Values.peerdb.credentials.password }}' 10 | UI_NEXTAUTH_SECRET: '{{ .Values.peerdbUI.credentials.nexauth_secret | default (randAlphaNum 60) }}' 11 | -------------------------------------------------------------------------------- /peerdb/templates/peerdb-ui-deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.peerdbUI.enabled -}} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: peerdb-ui 6 | labels: 7 | {{- include "component.labels" "peerdb-ui" | nindent 4 }} 8 | {{- include "peerdb.common.labels" . | nindent 4 }} 9 | {{- with .Values.peerdbUI.deployment.labels }} 10 | {{ . | toYaml | nindent 4 }} 11 | {{- end }} 12 | annotations: 13 | {{- with .Values.peerdbUI.deployment.annotations }} 14 | {{ . | toYaml | nindent 4 }} 15 | {{- end }} 16 | spec: 17 | replicas: {{ .Values.peerdbUI.replicaCount }} 18 | selector: 19 | matchLabels: 20 | {{- include "component.labels" "peerdb-ui" | nindent 6 }} 21 | {{- include "peerdb.common.selectorLabels" . | nindent 6 }} 22 | template: 23 | metadata: 24 | labels: 25 | {{- include "component.labels" "peerdb-ui" | nindent 8 }} 26 | {{- include "peerdb.common.labels" . | nindent 8 }} 27 | {{- with .Values.peerdbUI.pods.labels }} 28 | {{ . | toYaml | nindent 8 }} 29 | {{- end }} 30 | annotations: 31 | {{- with .Values.peerdbUI.pods.annotations }} 32 | {{ . | toYaml | nindent 8 }} 33 | {{- end }} 34 | spec: 35 | {{- if .Values.serviceAccount.name }} 36 | serviceAccountName: {{ .Values.serviceAccount.name }} 37 | {{- end }} 38 | terminationGracePeriodSeconds: {{ default 60 .Values.peerdbUI.terminationGracePeriodSeconds }} 39 | {{- include "pods.affinity" (list $ "peerdbUI") | nindent 6 }} 40 | {{- include "pods.nodeSelector" (list $ "peerdbUI") | nindent 6 }} 41 | {{- include "pods.tolerations" (list $ "peerdbUI") | nindent 6 }} 42 | {{- include "pods.imagePullSecrets" (list $ "peerdbUI") | nindent 6 }} 43 | 44 | containers: 45 | - name: peerdb-ui 46 | image: "{{ .Values.peerdbUI.image.repository }}:{{ .Values.peerdbUI.version | default .Values.peerdb.version }}" 47 | imagePullPolicy: {{ .Values.peerdbUI.image.pullPolicy }} 48 | ports: 49 | - containerPort: {{ .Values.peerdbUI.service.targetPort }} 50 | name: web 51 | env: 52 | {{- include "catalog.pgConf" . | nindent 8 }} 53 | # flow server config 54 | - name: PEERDB_FLOW_SERVER_HTTP 55 | value: "http://flow-api:{{ .Values.flowApi.service.httpPort }}" 56 | - name: PEERDB_PASSWORD 57 | valueFrom: 58 | secretKeyRef: 59 | key: UI_PEERDB_PASSWORD 60 | name: peerdb-server-ui-secret 61 | - name: NEXTAUTH_SECRET 62 | valueFrom: 63 | secretKeyRef: 64 | key: UI_NEXTAUTH_SECRET 65 | name: peerdb-server-ui-secret 66 | - name: NEXTAUTH_URL 67 | value: {{ .Values.peerdbUI.service.url }} 68 | {{- with .Values.peerdbUI.extraEnv -}} 69 | {{ . | toYaml | nindent 8}} 70 | {{- end }} 71 | livenessProbe: 72 | tcpSocket: 73 | port: web 74 | initialDelaySeconds: 10 75 | periodSeconds: 3 76 | failureThreshold: 3 77 | terminationGracePeriodSeconds: 30 78 | readinessProbe: 79 | tcpSocket: 80 | port: web 81 | initialDelaySeconds: 10 82 | periodSeconds: 3 83 | failureThreshold: 3 84 | 85 | {{- with .Values.peerdbUI.resources }} 86 | resources: {{ toYaml . | nindent 10 }} 87 | {{- end }} 88 | {{- end -}} -------------------------------------------------------------------------------- /peerdb/templates/peerdb-ui-ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.peerdbUI.ingress.enabled -}} 2 | {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} 3 | apiVersion: networking.k8s.io/v1 4 | {{/* {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}*/}} 5 | {{/*apiVersion: networking.k8s.io/v1beta1*/}} 6 | {{/* {{- else if .Capabilities.APIVersions.Has "extensions/v1beta1" }}*/}} 7 | {{/*apiVersion: extensions/v1beta1*/}} 8 | {{- else }} # We will error out with a message that kubernetes version is older than 1.19, we can support it, but it is too old to not have other problems 9 | {{ fail printf ("Ingress API version is not supported by kubernetes version %s" .Capabilities.KubeVersion.GitVersion) }} 10 | {{- end }} 11 | kind: Ingress 12 | metadata: 13 | name: peerdb-ui 14 | labels: 15 | {{- include "component.labels" "peerdb-ui" | nindent 4 }} 16 | {{- include "peerdb.common.labels" . | nindent 4 }} 17 | {{- with .Values.peerdbUI.ingress.annotations }} 18 | annotations: 19 | {{ toYaml . | indent 4 }} 20 | {{- end }} 21 | spec: 22 | {{- with .Values.peerdbUI.ingress.className }} 23 | ingressClassName: {{ . | quote }} 24 | {{- end }} 25 | {{- if .Values.peerdbUI.ingress.tls }} 26 | tls: 27 | {{- range .Values.peerdbUI.ingress.tls }} 28 | - hosts: 29 | {{- range .hosts }} 30 | - {{ . | required "Ingress TLS Host is required at .Values.peerdbUI.ingress.tls.hosts.host" | quote }} 31 | {{- end }} 32 | secretName: {{ .secretName }} 33 | {{- end }} 34 | {{- end }} 35 | rules: 36 | {{- range .Values.peerdbUI.ingress.hosts }} 37 | - host: {{ .host | required "Ingress host is required at .Values.peerdbUI.ingress.hosts.host" | quote }} 38 | http: 39 | paths: 40 | {{- range .paths }} 41 | - path: {{ .path | required "Ingress path is required at .Values.peerdbUI.ingress.hosts.paths.path" | quote }} 42 | {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1" }} 43 | pathType: Prefix 44 | backend: 45 | service: 46 | name: peerdb-ui 47 | port: 48 | number: {{ $.Values.peerdbUI.service.port }} 49 | {{/* {{- else if $.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}*/}} 50 | {{/* backend:*/}} 51 | {{/* serviceName: peerdb-ui*/}} 52 | {{/* servicePort: {{ $.Values.peerdbUI.service.port }}*/}} 53 | {{/* {{- end }}*/}} 54 | {{- end }} 55 | {{- end}} 56 | {{- end }} 57 | {{- end }} 58 | -------------------------------------------------------------------------------- /peerdb/templates/peerdb-ui-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.peerdbUI.service.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: peerdb-ui 6 | labels: 7 | {{- include "component.labels" "peerdb-ui" | nindent 4 }} 8 | {{- include "peerdb.common.labels" . | nindent 4 }} 9 | annotations: 10 | {{- .Values.peerdbUI.service.annotations | toYaml | nindent 4 }} 11 | spec: 12 | selector: 13 | {{- include "component.labels" "peerdb-ui" | nindent 4 }} 14 | {{- include "peerdb.common.selectorLabels" . | nindent 4 }} 15 | ports: 16 | - protocol: TCP 17 | port: {{ .Values.peerdbUI.service.port }} 18 | targetPort: {{ .Values.peerdbUI.service.targetPort }} 19 | type: {{ if .Values.authentication.enabled }}ClusterIP{{ else }}{{ .Values.peerdbUI.service.type }}{{ end }} 20 | {{- end -}} -------------------------------------------------------------------------------- /peerdb/templates/register-namespace-job.yaml: -------------------------------------------------------------------------------- 1 | {{- $temporalValues := index .Values "temporal-deploy" }} 2 | {{- if and .Values.temporal.deploy.enabled .Release.IsInstall }} 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: temporal-namespace-register 7 | labels: 8 | {{- include "component.labels" "temporal-namespace-register" | nindent 4 }} 9 | {{- include "peerdb.common.labels" . | nindent 4 }} 10 | spec: 11 | backoffLimit: {{ .Values.temporal.deploy.registerNamespace.backoffLimit }} 12 | template: 13 | metadata: 14 | name: temporal-namespace-register 15 | labels: 16 | {{- include "component.labels" "temporal-namespace-register" | nindent 8 }} 17 | {{- include "peerdb.common.labels" . | nindent 8 }} 18 | spec: 19 | restartPolicy: "OnFailure" 20 | {{- with .Values.common.pods.affinity }} 21 | affinity: 22 | {{- . | toYaml | nindent 8 }} 23 | {{- end }} 24 | {{- with .Values.common.pods.nodeSelector }} 25 | nodeSelector: 26 | {{- . | toYaml | nindent 8 }} 27 | {{- end }} 28 | {{- with .Values.common.pods.tolerations }} 29 | tolerations: 30 | {{- . | toYaml | nindent 8 }} 31 | {{- end }} 32 | {{- with .Values.common.pods.imagePullSecrets }} 33 | imagePullSecrets: 34 | {{- . | toYaml | nindent 10 }} 35 | {{- end }} 36 | containers: 37 | - name: register-namespace 38 | image: "{{ $temporalValues.admintools.image.repository }}:{{ $temporalValues.admintools.image.tag }}" 39 | imagePullPolicy: {{ $temporalValues.admintools.image.pullPolicy }} 40 | command: [ 'sh', '-c', 'while ! tctl cluster health | grep -q ": SERVING$"; do tctl cluster health; sleep 3; done && tctl namespace list | grep -q "^Name: ${TEMPORAL_NAMESPACE}$" || tctl --namespace "${TEMPORAL_NAMESPACE}" namespace register' ] 41 | 42 | env: 43 | - name: TEMPORAL_NAMESPACE 44 | value: {{ .Values.temporal.namespace | quote }} 45 | - name: TEMPORAL_CLI_ADDRESS 46 | value: "{{ .Release.Name }}-temporal-deploy-frontend:{{ $temporalValues.server.frontend.service.port }}" 47 | - name: TEMPORAL_ADDRESS 48 | value: "{{ .Release.Name }}-temporal-deploy-frontend:{{ $temporalValues.server.frontend.service.port }}" 49 | {{- with .Values.temporal.deploy.registerNamespace.resources }} 50 | resources: 51 | {{- toYaml . | nindent 12 }} 52 | {{- end }} 53 | {{- with .Values.temporal.deploy.registerNamespace.containerSecurityContext }} 54 | securityContext: 55 | {{- toYaml . | nindent 12 }} 56 | {{- end }} 57 | {{- with .Values.temporal.deploy.registerNamespace.securityContext }} 58 | securityContext: 59 | {{- toYaml . | nindent 8 }} 60 | {{- end }} 61 | --- 62 | {{- end }} -------------------------------------------------------------------------------- /peerdb/templates/service-account.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccount.name }} 6 | annotations: 7 | {{- if .Values.aws.roleArn }} 8 | eks.amazonaws.com/role-arn: {{ .Values.aws.roleArn }} 9 | {{- end }} 10 | labels: 11 | heritage: {{ .Release.Service | quote }} 12 | release: {{ .Release.Name | quote }} 13 | chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" 14 | {{- include "peerdb.common.labels" . | nindent 4 }} 15 | {{- end -}} -------------------------------------------------------------------------------- /peerdb/values.customer.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PeerDB-io/peerdb-enterprise/d513f4c4a8e8f2d5ebe433e40e39af2c632437a2/peerdb/values.customer.yaml -------------------------------------------------------------------------------- /peerdb/values.yaml: -------------------------------------------------------------------------------- 1 | catalog: 2 | # -- catalog host - autofilled if using in-cluster catalog, else pulled from .env 3 | pgHost: _PG_HOST_ 4 | # -- catalog port - autofilled if using in-cluster catalog, else pulled from .env 5 | pgPort: _PG_PORT_ 6 | # -- catalog user - autofilled if using in-cluster catalog, else pulled from .env 7 | pgUser: _PG_USER_ 8 | # -- catalog password - autofilled if using in-cluster catalog, else pulled from .env 9 | pgPassword: _PG_PASSWORD_ 10 | # -- catalog database - autofilled if using in-cluster catalog, else pulled from .env 11 | pgDatabase: _PG_DATABASE_ 12 | # -- catalog admin database - autofilled if using in-cluster catalog, else pulled from .env 13 | pgAdminDatabase: _PG_ADMIN_DATABASE_ 14 | deploy: 15 | # -- Whether to deploy the catalog, pulled from `CATALOG_DEPLOY_ENABLED` from .env 16 | enabled: false 17 | clusterName: catalog-pg-cluster 18 | # -- catalog credentials secret name - autofilled if using in-cluster catalog, else pulled `CATALOG_DB_MANUAL_CREDS_NAME` from .env and is used to create the secret for the catalog, creds are pulled from .env 19 | credentialsSecretName: _CATALOG_DB_MANUAL_CREDS_NAME_ 20 | # -- Use an existing secret for catalog credentials. Use this when saving credentials to values.yaml is not desired 21 | existingSecret: "" 22 | aws: 23 | accessKeyId: 24 | secretAccessKey: 25 | region: _AWS_REGION_ 26 | roleArn: 27 | 28 | azure: 29 | clientId: 30 | clientSecret: 31 | subscriptionId: 32 | tenantId: 33 | 34 | serviceAccount: 35 | create: true 36 | name: 37 | 38 | temporal: 39 | deploy: 40 | # -- Whether to deploy temporal, pulled from `TEMPORAL_DEPLOY_ENABLED` from .env 41 | enabled: true 42 | # TODO for multiple enterprise deployments: namespace, mirrorSearchAttribute needs to be created manually for now 43 | registerNamespace: 44 | backoffLimit: 100 45 | resources: 46 | requests: 47 | cpu: 0.1 48 | memory: 128Mi 49 | ephemeral-storage: 4Gi 50 | limits: 51 | cpu: 0.5 52 | memory: 256Mi 53 | ephemeral-storage: 4Gi 54 | mirrorNameSearchAttribute: 55 | backoffLimit: 100 56 | resources: 57 | requests: 58 | cpu: 0.1 59 | memory: 128Mi 60 | limits: 61 | cpu: 0.5 62 | memory: 256Mi 63 | host: peerdb-temporal-frontend 64 | port: 7233 65 | k8s_namespace: _PEERDB_TEMPORAL_K8S_NAMESPACE_ 66 | namespace: default 67 | releaseName: _PEERDB_TEMPORAL_RELEASE_NAME_ 68 | clientCert: _PEERDB_TEMPORAL_CLIENT_CERT_ 69 | clientKey: _PEERDB_TEMPORAL_CLIENT_KEY_ 70 | taskQueueId: _PEERDB_DEPLOYMENT_UID_ 71 | 72 | pyroscope: 73 | enabled: false 74 | 75 | flowWorker: 76 | enabled: true 77 | extraEnv: [] 78 | lowCost: false 79 | pods: 80 | nodeSelector: { } 81 | tolerations: [ ] 82 | # -- flowWorker pod affinity, the default is to schedule flowWorker pods on different nodes than other flowWorker pods for High Availability 83 | affinity: 84 | podAntiAffinity: 85 | preferredDuringSchedulingIgnoredDuringExecution: 86 | - weight: 100 87 | podAffinityTerm: 88 | labelSelector: 89 | matchExpressions: 90 | - key: app 91 | operator: In 92 | values: 93 | - flow-worker 94 | topologyKey: topology.kubernetes.io/zone 95 | # -- annotations that will be applied to all flowWorker pods, NOT the deployment 96 | annotations: { } 97 | # -- labels that will be applied to all flowWorker pods, NOT the deployment 98 | labels: { } 99 | deployment: 100 | # -- labels that will be applied to the flowWorker deployment, NOT the pods 101 | labels: { } 102 | # -- annotations that will be applied to the flowWorker deployment, NOT the pods 103 | annotations: { } 104 | replicaCount: 2 105 | image: 106 | repository: ghcr.io/peerdb-io/flow-worker 107 | pullPolicy: Always 108 | resources: 109 | requests: 110 | cpu: 2 111 | memory: 8Gi 112 | ephemeral-storage: 64Gi 113 | limits: 114 | cpu: 4 115 | memory: 8Gi 116 | ephemeral-storage: 128Gi 117 | 118 | flowSnapshotWorker: 119 | enabled: true 120 | extraEnv: [] 121 | lowCost: true 122 | pods: 123 | nodeSelector: { } 124 | tolerations: [ ] 125 | affinity: { } 126 | # -- annotations that will be applied to all flowSnapshotWorker pods, NOT the statefulSet 127 | annotations: { } 128 | # -- labels that will be applied to all flowSnapshotWorker pods, NOT the statefulSet 129 | labels: { } 130 | statefulSet: 131 | # -- labels that will be applied to the flowSnapshotWorker statefulSet, NOT the pods 132 | labels: { } 133 | # -- annotations that will be applied to the flowSnapshotWorker statefulSet, NOT the pods 134 | annotations: { } 135 | replicaCount: 1 136 | image: 137 | repository: ghcr.io/peerdb-io/flow-snapshot-worker 138 | pullPolicy: Always 139 | resources: 140 | requests: 141 | cpu: 0.5 142 | memory: 1Gi 143 | ephemeral-storage: 10Gi 144 | limits: 145 | cpu: 1 146 | memory: 1Gi 147 | ephemeral-storage: 16Gi 148 | service: 149 | enabled: true 150 | annotations: { } 151 | 152 | flowApi: 153 | enabled: true 154 | extraEnv: [] 155 | lowCost: true 156 | pods: 157 | nodeSelector: { } 158 | tolerations: [ ] 159 | # -- flowApi pod affinity, the default is to schedule flowApi pods on different nodes than other flowApi pods for High Availability 160 | affinity: 161 | podAntiAffinity: 162 | preferredDuringSchedulingIgnoredDuringExecution: 163 | - weight: 100 164 | podAffinityTerm: 165 | labelSelector: 166 | matchExpressions: 167 | - key: app 168 | operator: In 169 | values: 170 | - flow-api 171 | topologyKey: topology.kubernetes.io/zone 172 | # -- annotations that will be applied to all flowApi pods, NOT the deployment 173 | annotations: { } 174 | # -- labels that will be applied to all flowApi pods, NOT the deployment 175 | labels: { } 176 | deployment: 177 | # -- labels that will be applied to the flowApi deployment, NOT the pods 178 | labels: { } 179 | # -- annotations that will be applied to the flowApi deployment, NOT the pods 180 | annotations: { } 181 | replicaCount: 4 182 | image: 183 | repository: ghcr.io/peerdb-io/flow-api 184 | pullPolicy: Always 185 | service: 186 | enabled: true 187 | type: ClusterIP 188 | port: 8112 189 | targetPort: 8112 190 | httpPort: 8113 191 | targetHttpPort: 8113 192 | annotations: { } 193 | resources: 194 | requests: 195 | cpu: 0.1 196 | memory: 128Mi 197 | ephemeral-storage: 4Gi 198 | limits: 199 | cpu: 0.5 200 | memory: 256Mi 201 | ephemeral-storage: 4Gi 202 | 203 | peerdbUI: 204 | enabled: true 205 | credentials: 206 | password: _PEERDB_PASSWORD_ 207 | nexauth_secret: '' 208 | extraEnv: [] 209 | lowCost: true 210 | pods: 211 | nodeSelector: { } 212 | tolerations: [ ] 213 | # -- peerdbUI pod affinity, the default is to schedule peerdbUI pods on different nodes than other peerdbUI pods for High Availability 214 | affinity: 215 | podAntiAffinity: 216 | preferredDuringSchedulingIgnoredDuringExecution: 217 | - weight: 100 218 | podAffinityTerm: 219 | labelSelector: 220 | matchExpressions: 221 | - key: app 222 | operator: In 223 | values: 224 | - peerdb-ui 225 | topologyKey: topology.kubernetes.io/zone 226 | # -- annotations that will be applied to all peerdbUI pods, NOT the deployment 227 | annotations: { } 228 | # -- labels that will be applied to all peerdbUI pods, NOT the deployment 229 | labels: { } 230 | deployment: 231 | # -- labels that will be applied to the peerdbUI deployment, NOT the pods 232 | labels: { } 233 | # -- annotations that will be applied to the peerdbUI deployment, NOT the pods 234 | annotations: { } 235 | replicaCount: 4 236 | image: 237 | repository: ghcr.io/peerdb-io/peerdb-ui 238 | pullPolicy: Always 239 | service: 240 | enabled: true 241 | type: LoadBalancer 242 | port: 3000 243 | targetPort: 3000 244 | url: _PEERDB_UI_SERVICE_URL_ 245 | annotations: { } 246 | 247 | resources: 248 | requests: 249 | cpu: 0.1 250 | memory: 256Mi 251 | ephemeral-storage: 4Gi 252 | limits: 253 | cpu: 0.5 254 | memory: 512Mi 255 | ephemeral-storage: 4Gi 256 | ingress: 257 | enabled: false 258 | annotations: { } 259 | className: "" 260 | # -- TLS configuration for ingress. Eg: `[ { hosts: [ "example.com" ], secretName: "example-tls" } ]` 261 | tls: [ ] 262 | # -- List of Hosts for the Ingress 263 | hosts: 264 | # -- Host of the ingress, non-empty 265 | - host: "" 266 | # -- Paths within the host 267 | paths: 268 | # -- Path within the host, non-empty 269 | - path: / 270 | 271 | 272 | peerdb: 273 | enabled: true 274 | extraEnv: [] 275 | lowCost: true 276 | pods: 277 | nodeSelector: { } 278 | tolerations: [ ] 279 | # -- peerdb pod affinity, the default is to schedule peerdb pods on different nodes than other peerdb pods for High Availability 280 | affinity: 281 | podAntiAffinity: 282 | preferredDuringSchedulingIgnoredDuringExecution: 283 | - weight: 100 284 | podAffinityTerm: 285 | labelSelector: 286 | matchExpressions: 287 | - key: app 288 | operator: In 289 | values: 290 | - peerdb-server 291 | topologyKey: topology.kubernetes.io/zone 292 | # -- annotations that will be applied to the peerdb-server pods, NOT the deployment 293 | annotations: { } 294 | # -- labels that will be applied to the peerdb-server pods, NOT the deployment 295 | labels: { } 296 | deployment: 297 | # -- labels that will be applied to the peerdb-server deployment, NOT the pods 298 | labels: { } 299 | # -- annotations that will be applied to the peerdb-server deployment, NOT the pods 300 | annotations: { } 301 | replicaCount: 4 302 | # -- This version is overridden by .env file if the install_peerdb.sh script is being used 303 | # In that case, either update the .env file or override it via values.customer.yaml when installing 304 | version: stable-v0.22.1 305 | image: 306 | repository: ghcr.io/peerdb-io/peerdb-server 307 | pullPolicy: Always 308 | service: 309 | enabled: true 310 | name: peerdb-server 311 | port: 9900 312 | targetPort: 9900 313 | type: ClusterIP 314 | annotations: { } 315 | env: 316 | logDir: "/var/log/peerdb" 317 | credentials: 318 | password: "peerdb" 319 | resources: 320 | requests: 321 | cpu: 0.1 322 | memory: 128Mi 323 | ephemeral-storage: 4Gi 324 | limits: 325 | cpu: 0.5 326 | memory: 256Mi 327 | ephemeral-storage: 4Gi 328 | 329 | authentication: 330 | enabled: false 331 | replicaCount: 4 332 | credentials: 333 | username: peerdb-user 334 | password: 335 | service: 336 | port: 80 337 | targetPort: 80 338 | type: LoadBalancer 339 | annotations: { } 340 | image: 341 | repository: nginx 342 | tag: latest 343 | pullPolicy: Always 344 | resources: 345 | requests: 346 | cpu: 0.1 347 | memory: 128Mi 348 | ephemeral-storage: 4Gi 349 | limits: 350 | cpu: 0.5 351 | memory: 256Mi 352 | ephemeral-storage: 4Gi 353 | healthcheck: 354 | path: "/health" 355 | script: 356 | timeoutSeconds: 55 357 | backendService: 358 | peerdbUi: 359 | hostPattern: "" 360 | temporal: 361 | hostPattern: "" 362 | 363 | temporal-deploy: 364 | server: 365 | dynamicConfig: 366 | limit.maxIDLength: 367 | - value: 255 368 | constraints: {} 369 | frontend.enableUpdateWorkflowExecution: 370 | - value: true # to enable external updates of workflow status [PAUSING, TERMINATING] 371 | replicaCount: 1 372 | config: 373 | persistence: 374 | default: 375 | driver: "sql" 376 | 377 | sql: 378 | driver: "postgres12" 379 | host: _HOST_ 380 | port: 5432 381 | database: temporal 382 | user: _USERNAME_ 383 | password: _PASSWORD_ 384 | # for a production deployment use this instead of `password` and provision the secret beforehand e.g. with a sealed secret 385 | # it has a single key called `password` 386 | # existingSecret: temporal-default-store 387 | maxConns: 20 388 | maxConnLifetime: "1h" 389 | tls: 390 | enabled: _TEMPORAL_SSL_MODE_ 391 | # enableHostVerification: true 392 | # serverName: _HOST_ # this is strictly required when using serverless CRDB offerings 393 | 394 | visibility: 395 | driver: "sql" 396 | 397 | sql: 398 | driver: "postgres12" 399 | host: _HOST_ 400 | port: 5432 401 | database: temporal_visibility 402 | user: _USERNAME_ 403 | password: _PASSWORD_ 404 | # for a production deployment use this instead of `password` and provision the secret beforehand e.g. with a sealed secret 405 | # it has a single key called `password` 406 | # existingSecret: temporal-visibility-store 407 | maxConns: 20 408 | maxConnLifetime: "1h" 409 | tls: 410 | enabled: _TEMPORAL_SSL_MODE_ 411 | # enableHostVerification: true 412 | # serverName: _HOST_ # this is strictly required when using serverless CRDB offerings 413 | resources: 414 | requests: 415 | cpu: 2 416 | memory: 2Gi 417 | limits: 418 | cpu: 4 419 | memory: 4Gi 420 | frontend: 421 | replicaCount: 1 422 | resources: 423 | requests: 424 | cpu: 1 425 | memory: 1Gi 426 | limits: 427 | cpu: 1.5 428 | memory: 1.5Gi 429 | # -- `frontend` pod affinity, the default is to schedule frontend pods on different nodes than other frontend pods for High Availability 430 | affinity: 431 | podAntiAffinity: 432 | preferredDuringSchedulingIgnoredDuringExecution: 433 | - weight: 100 434 | podAffinityTerm: 435 | labelSelector: 436 | matchExpressions: 437 | - key: app.kubernetes.io/name 438 | operator: In 439 | values: 440 | - temporal-deploy 441 | - key: app.kubernetes.io/component 442 | operator: In 443 | values: 444 | - web 445 | topologyKey: topology.kubernetes.io/zone 446 | history: 447 | replicaCount: 1 448 | resources: 449 | requests: 450 | cpu: 1 451 | memory: 1.5Gi 452 | limits: 453 | cpu: 2 454 | memory: 2Gi 455 | # -- `history` pod affinity, the default is to schedule history pods on different nodes than other history pods for High Availability 456 | affinity: 457 | podAntiAffinity: 458 | preferredDuringSchedulingIgnoredDuringExecution: 459 | - weight: 100 460 | podAffinityTerm: 461 | labelSelector: 462 | matchExpressions: 463 | - key: app.kubernetes.io/name 464 | operator: In 465 | values: 466 | - temporal-deploy 467 | - key: app.kubernetes.io/component 468 | operator: In 469 | values: 470 | - history 471 | topologyKey: topology.kubernetes.io/zone 472 | matching: 473 | replicaCount: 1 474 | resources: 475 | requests: 476 | cpu: 1 477 | memory: 1Gi 478 | limits: 479 | cpu: 1.5 480 | memory: 1.5Gi 481 | # -- `matching` pod affinity, the default is to schedule matching pods on different nodes than other matching pods for High Availability 482 | affinity: 483 | podAntiAffinity: 484 | preferredDuringSchedulingIgnoredDuringExecution: 485 | - weight: 100 486 | podAffinityTerm: 487 | labelSelector: 488 | matchExpressions: 489 | - key: app.kubernetes.io/name 490 | operator: In 491 | values: 492 | - temporal-deploy 493 | - key: app.kubernetes.io/component 494 | operator: In 495 | values: 496 | - matching 497 | topologyKey: topology.kubernetes.io/zone 498 | worker: 499 | replicaCount: 1 500 | resources: 501 | requests: 502 | cpu: 1 503 | memory: 1Gi 504 | limits: 505 | cpu: 1.5 506 | memory: 1.5Gi 507 | # -- `worker` pod affinity, the default is to schedule worker pods on different nodes than other worker pods for High Availability 508 | affinity: 509 | podAntiAffinity: 510 | preferredDuringSchedulingIgnoredDuringExecution: 511 | - weight: 100 512 | podAffinityTerm: 513 | labelSelector: 514 | matchExpressions: 515 | - key: app.kubernetes.io/name 516 | operator: In 517 | values: 518 | - temporal-deploy 519 | - key: app.kubernetes.io/component 520 | operator: In 521 | values: 522 | - worker 523 | topologyKey: topology.kubernetes.io/zone 524 | 525 | web: 526 | replicaCount: 1 527 | image: 528 | tag: 2.22.2 # refer to https://github.com/PeerDB-io/peerdb/blob/a4c028c993070edcc132aa8e621d321d9264bb7a/docker-compose.yml#L93 529 | resources: 530 | requests: 531 | cpu: 100m 532 | memory: 512Mi 533 | limits: 534 | cpu: 1 535 | memory: 1Gi 536 | # -- `web` pod affinity, the default is to schedule web pods on different nodes than other web pods for High Availability 537 | affinity: 538 | podAntiAffinity: 539 | preferredDuringSchedulingIgnoredDuringExecution: 540 | - weight: 100 541 | podAffinityTerm: 542 | labelSelector: 543 | matchExpressions: 544 | - key: app.kubernetes.io/name 545 | operator: In 546 | values: 547 | - temporal-deploy 548 | - key: app.kubernetes.io/component 549 | operator: In 550 | values: 551 | - web 552 | topologyKey: topology.kubernetes.io/zone 553 | 554 | admintools: 555 | resources: 556 | requests: 557 | cpu: 100m 558 | memory: 128Mi 559 | limits: 560 | cpu: 500m 561 | memory: 256Mi 562 | 563 | cassandra: 564 | enabled: false 565 | 566 | mysql: 567 | enabled: false 568 | 569 | elasticsearch: 570 | enabled: false 571 | grafana: 572 | enabled: false 573 | prometheus: 574 | enabled: false 575 | 576 | schema: 577 | setup: 578 | enabled: false 579 | update: 580 | enabled: false 581 | createDatabase: 582 | enabled: false 583 | 584 | datadog: 585 | # -- Whether to deploy datadog, pulled from `DATADOG_ENABLED` from .env 586 | enabled: _DATADOG_ENABLED_ 587 | datadog: 588 | containerExclude: "kube_namespace:.*" 589 | containerInclude: "kube_namespace:_PEERDB_K8S_NAMESPACE_" 590 | networkMonitoring: 591 | enabled: true 592 | # -- datadog site, pulled from `DATADOG_SITE` from .env 593 | site: _DATADOG_SITE_ 594 | # -- datadog api key, pulled from `DATADOG_API_KEY` from .env 595 | apiKey: _DATADOG_API_KEY_ 596 | # -- datadog cluster name, pulled from `DATADOG_CLUSTER_NAME` from .env 597 | clusterName: _DATADOG_CLUSTER_NAME_ 598 | logs: 599 | enabled: true 600 | containerCollectAll: true 601 | tags: 602 | - "peerdb.io/cluster-for:enterprise" 603 | clusterAgent: 604 | replicas: 2 605 | createPodDisruptionBudget: true 606 | enabled: true 607 | 608 | # -- Common values for all peerdb components that will be merged with the specific component values 609 | common: 610 | pods: 611 | # -- Node selector that will be applied to all the peerdb components additively 612 | nodeSelector: { } 613 | # -- Tolerations that will be applied to all the peerdb components additively 614 | tolerations: [ ] 615 | # -- Affinity that will be applied to all the peerdb components additively 616 | affinity: { } 617 | # -- Image pull secrets that will be applied to all the peerdb components additively 618 | imagePullSecrets: [] 619 | 620 | global: 621 | peerdb: 622 | enterprise: 623 | # -- Whether to save customer values as a kubernetes secret for backup, pulled from `SAVE_VALUES_AS_SECRET` from .env 624 | saveCustomerValuesAsSecret: _SAVE_VALUES_AS_SECRET_ 625 | lowCost: 626 | # -- Node selector that will be applied to all the lowCost=true peerdb components additively 627 | nodeSelector: { } 628 | # -- Tolerations that will be applied to all the lowCost=true peerdb components additively 629 | tolerations: [ ] 630 | # -- Affinity that will be applied to all the lowCost=true peerdb components additively 631 | affinity: { } 632 | -------------------------------------------------------------------------------- /port_forward_catalog.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -Eeuo pipefail 3 | 4 | 5 | function wait_for_pg_ready() { 6 | kubectl wait --timeout=300s --for=condition=ready -n "${PEERDB_K8S_NAMESPACE}" pod -l "postgres-operator.crunchydata.com/cluster=${CATALOG_DEPLOY_CLUSTER_NAME}" -l "postgres-operator.crunchydata.com/role=master" 7 | } 8 | 9 | # We have to setup a tunnel service for postgres because of no selector and then port forward 10 | function port_forward_k8s_pg() { 11 | NEW_PORT=$1 12 | wait_for_pg_ready 13 | tunnel_name="pg-tunnel-$USER-$RANDOM" 14 | kubectl -n "${PEERDB_K8S_NAMESPACE}" run "${tunnel_name}" --image=alpine/socat tcp-listen:5432,fork,reuseaddr "tcp-connect:${CATALOG_DEPLOY_CLUSTER_NAME}-primary:${PG_PORT}" & 15 | tunel_pid=$! 16 | function del_tunnel() { 17 | echo deleting TUNNEL 18 | kubectl delete -n "${PEERDB_K8S_NAMESPACE}" "pods/${tunnel_name}" 19 | } 20 | trap del_tunnel EXIT 21 | echo Waiting for tunnel to get ready 22 | sleep 3 23 | echo Tunnel is ready 24 | kubectl wait --for=condition=ready -n "${PEERDB_K8S_NAMESPACE}" pod -l run="${tunnel_name}" 25 | kubectl port-forward -n "${PEERDB_K8S_NAMESPACE}" "pods/${tunnel_name}" $NEW_PORT:5432 & #> /dev/null 2>&1 & 26 | port_forward_pid=$! 27 | # kill the port-forward regardless of how this script exits 28 | function kill_forward() { 29 | del_tunnel 30 | echo killing PORT_FORWARD 31 | kill $port_forward_pid 32 | } 33 | trap kill_forward EXIT 34 | 35 | while ! nc -vz localhost $NEW_PORT > /dev/null 2>&1 ; do 36 | echo "Waiting for port forward to become available" 37 | sleep 1 38 | done 39 | } 40 | 41 | 42 | function check_catalog_deploy() { 43 | if [[ "$CATALOG_DEPLOY_ENABLED" == "true" ]]; then 44 | NEW_PORT=$(( ( RANDOM ) + 1024 )) 45 | port_forward_k8s_pg $NEW_PORT 46 | export PG_PASSWORD=$(kubectl get secrets -n "${PEERDB_K8S_NAMESPACE}" "${CATALOG_DEPLOY_CLUSTER_NAME}-pguser-${PG_USER}" -o jsonpath='{.data.password}' | base64 -d ) 47 | export TEMPORAL_PASSWORD=$(kubectl get secrets -n "${PEERDB_K8S_NAMESPACE}" "${CATALOG_DEPLOY_CLUSTER_NAME}-pguser-${TEMPORAL_USER}" -o jsonpath='{.data.password}' | base64 -d ) 48 | export PG_PORT="$NEW_PORT" 49 | export PG_HOST="localhost" 50 | fi 51 | } 52 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "local>PeerDB-io/.github:renovate-config" 5 | ] 6 | } 7 | -------------------------------------------------------------------------------- /setup_postgres.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -Eeuo pipefail 3 | 4 | 5 | # Source .env file 6 | set -a; source .env; set +a 7 | 8 | 9 | 10 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" 11 | PG_SETUP_DIR="${SCRIPT_DIR}/peerdb-catalog/pgSetup" 12 | 13 | source "$SCRIPT_DIR/port_forward_catalog.sh" && check_catalog_deploy 14 | 15 | 16 | pushd $PG_SETUP_DIR 17 | 18 | make 19 | ./peerdb-pg-setup 20 | 21 | popd 22 | -------------------------------------------------------------------------------- /setup_temporal_schema.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -Eeuo pipefail 3 | 4 | # source .env file 5 | set -a 6 | source .env 7 | set +a 8 | 9 | 10 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" 11 | TEMPORAL_SETUP_DIR="${SCRIPT_DIR}/temporal" 12 | 13 | 14 | source "$SCRIPT_DIR/port_forward_catalog.sh" && check_catalog_deploy 15 | 16 | export SQL_PLUGIN=postgres12 17 | export SQL_HOST=$PG_HOST 18 | export SQL_PORT=$PG_PORT 19 | export SQL_USER=$TEMPORAL_USER 20 | export SQL_TLS=$TEMPORAL_SSL_MODE 21 | 22 | if [ -n "${TEMPORAL_SSL_CA_CERT_PATH:-}" ]; then 23 | export SQL_TLS_CA_FILE=$TEMPORAL_SSL_CA_CERT_PATH 24 | fi 25 | 26 | export SQL_PASSWORD=$TEMPORAL_PASSWORD 27 | 28 | pushd $TEMPORAL_SETUP_DIR 29 | 30 | make temporal-sql-tool 31 | 32 | echo "Setting up Temporal schema for Postgres - $SQL_HOST:$SQL_PORT - $TEMPORAL_DB" 33 | # ./temporal-sql-tool --database temporal create-database 34 | SQL_DATABASE=${TEMPORAL_DB} ./temporal-sql-tool --db $TEMPORAL_DB setup-schema -v 0.0 35 | SQL_DATABASE=${TEMPORAL_DB} ./temporal-sql-tool --db $TEMPORAL_DB update -schema-dir schema/postgresql/v12/temporal/versioned 36 | 37 | echo "Setting up Temporal visibility schema for Postgres - $SQL_HOST:$SQL_PORT - $TEMPORAL_VISIBILITY_DB" 38 | # ./temporal-sql-tool --database temporal_visibility create-database 39 | SQL_DATABASE=${TEMPORAL_VISIBILITY_DB} ./temporal-sql-tool --db $TEMPORAL_VISIBILITY_DB setup-schema -v 0.0 40 | SQL_DATABASE=${TEMPORAL_VISIBILITY_DB} ./temporal-sql-tool --db $TEMPORAL_VISIBILITY_DB update -schema-dir schema/postgresql/v12/visibility/versioned 41 | 42 | popd 43 | -------------------------------------------------------------------------------- /test_catalog.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -Eeuo pipefail 3 | 4 | # Source .env file 5 | set -a 6 | source .env 7 | set +a 8 | 9 | helm test -n "$PEERDB_K8S_NAMESPACE" "$PEERDB_RELEASE_NAME"-catalog --logs --timeout 30s -------------------------------------------------------------------------------- /utils/connect_catalog.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -Eeuo pipefail 3 | 4 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" 5 | 6 | # Source .env file in parent directory 7 | set -a 8 | source "${SCRIPT_DIR}/../.env" 9 | set +a 10 | 11 | 12 | source "$SCRIPT_DIR/../port_forward_catalog.sh" && check_catalog_deploy 13 | 14 | psql "host=${PG_HOST} port=${PG_PORT} user=${PG_USER} password=${PG_PASSWORD} dbname=${PEERDB_CATALOG_DATABASE}" 15 | -------------------------------------------------------------------------------- /utils/connect_peerdb.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -Exeuo pipefail 3 | 4 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" 5 | 6 | # Source .env file in parent directory 7 | set -a 8 | source "${SCRIPT_DIR}/../.env" 9 | set +a 10 | 11 | get_service_ip_or_hostname() { 12 | local namespace="$1" 13 | local service_name="$2" 14 | local hostname=$(kubectl get service "$service_name" -n "$namespace" -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') 15 | local ip=$(kubectl get service "$service_name" -n "$namespace" -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 16 | if [[ -n "$hostname" ]]; then 17 | echo "$hostname" 18 | elif [[ -n "$ip" ]]; then 19 | echo "$ip" 20 | else 21 | echo "Neither IP nor hostname could be retrieved for service: $service_name" >&2 22 | exit 1 23 | fi 24 | } 25 | 26 | ip=$(get_service_ip_or_hostname ${PEERDB_K8S_NAMESPACE} peerdb-server) 27 | port=$(kubectl get service peerdb-server -n ${PEERDB_K8S_NAMESPACE} -o jsonpath='{.spec.ports[0].port}') 28 | 29 | psql "host=${ip} port=${port} user=peerdb password=${PEERDB_PASSWORD} dbname=peerdb" 30 | -------------------------------------------------------------------------------- /utils/tctl.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -Eeuo pipefail 3 | 4 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" 5 | 6 | # Source .env file in parent directory 7 | set -a 8 | source "${SCRIPT_DIR}/../.env" 9 | set +a 10 | 11 | kubectl -n ${TEMPORAL_K8S_NAMESPACE} exec -it services/${TEMPORAL_RELEASE_NAME}-admintools -- /bin/bash 12 | -------------------------------------------------------------------------------- /utils/temporal-port-forward.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -Eeuo pipefail 3 | 4 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" 5 | 6 | # Source .env file in parent directory 7 | set -a 8 | source "${SCRIPT_DIR}/../.env" 9 | set +a 10 | 11 | kubectl port-forward -n ${TEMPORAL_K8S_NAMESPACE} services/${TEMPORAL_RELEASE_NAME}-web 8080:8080 12 | -------------------------------------------------------------------------------- /values_catalog.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | 4 | #TEMPORAL_HOST="${TEMPORAL_RELEASE_NAME}-frontend.${TEMPORAL_K8S_NAMESPACE}.svc.cluster.local" 5 | 6 | if [[ "$CATALOG_DEPLOY_ENABLED" == "true" ]]; then 7 | PG_HOST="${CATALOG_DEPLOY_CLUSTER_NAME}-primary.${PEERDB_K8S_NAMESPACE}.svc.cluster.local" 8 | TEMPORAL_DEFAULT_USER_PASSWORD_EXISTING_SECRET="${CATALOG_DEPLOY_CLUSTER_NAME}-pguser-${TEMPORAL_USER}" 9 | TEMPORAL_VISIBILITY_USER_PASSWORD_EXISTING_SECRET="${CATALOG_DEPLOY_CLUSTER_NAME}-pguser-${TEMPORAL_USER}" 10 | fi 11 | 12 | 13 | if [[ -n "${TEMPORAL_CLOUD_HOST:-}" ]]; then 14 | TEMPORAL_DEPLOY_ENABLED=false 15 | else 16 | TEMPORAL_DEPLOY_ENABLED=true 17 | fi 18 | 19 | 20 | if [[ "$PG_RDS_SSL_ENABLED" == "true" ]]; then 21 | TEMPORAL_SSL_MODE=true 22 | TEMPORAL_SSL_TYPE=RDS 23 | fi 24 | 25 | 26 | cat << EOF > 'peerdb-catalog.values.secret.yaml' 27 | 28 | credentials: 29 | default: 30 | user: "${TEMPORAL_USER}" 31 | password: "${TEMPORAL_PASSWORD}" 32 | database: "${TEMPORAL_DB}" 33 | existingSecret: "${TEMPORAL_DEFAULT_USER_PASSWORD_EXISTING_SECRET}" 34 | 35 | visibility: 36 | user: "${TEMPORAL_USER}" 37 | password: "${TEMPORAL_PASSWORD}" 38 | database: "${TEMPORAL_VISIBILITY_DB}" 39 | existingSecret: "${TEMPORAL_VISIBILITY_USER_PASSWORD_EXISTING_SECRET}" 40 | 41 | admin: 42 | user: "${PG_USER}" 43 | password: "${PG_PASSWORD}" 44 | database: "${PG_DATABASE}" 45 | 46 | catalog: 47 | database: "${PEERDB_CATALOG_DATABASE}" 48 | pgHost: "${PG_HOST}" 49 | pgPort: "${PG_PORT}" 50 | secretName: "${PEERDB_CATALOG_CREDS_SECRET_NAME}" 51 | ssl: 52 | enabled: ${TEMPORAL_SSL_MODE} 53 | type: "${TEMPORAL_SSL_TYPE:-}" 54 | path: _TEMPORAL_SSL_CA_CERT_PATH_ 55 | 56 | deploy: 57 | enabled: ${CATALOG_DEPLOY_ENABLED} 58 | clusterName: "${CATALOG_DEPLOY_CLUSTER_NAME}" 59 | 60 | 61 | temporal: 62 | deploy: 63 | enabled: ${TEMPORAL_DEPLOY_ENABLED} 64 | tls: 65 | enabled: ${TEMPORAL_SSL_MODE} 66 | 67 | global: 68 | peerdb: 69 | enterprise: 70 | saveCustomerValuesAsSecret: ${SAVE_VALUES_AS_SECRET} 71 | 72 | EOF 73 | -------------------------------------------------------------------------------- /values_peerdb.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | 4 | TEMPORAL_HOST="${TEMPORAL_RELEASE_NAME}-frontend.${PEERDB_K8S_NAMESPACE}.svc.cluster.local" 5 | 6 | if [[ "$CATALOG_DEPLOY_ENABLED" == "true" ]]; then 7 | PG_HOST="${CATALOG_DEPLOY_CLUSTER_NAME}-primary.${PEERDB_K8S_NAMESPACE}.svc.cluster.local" 8 | TEMPORAL_DEFAULT_USER_PASSWORD_EXISTING_SECRET="${CATALOG_DEPLOY_CLUSTER_NAME}-pguser-${TEMPORAL_USER}" 9 | TEMPORAL_VISIBILITY_USER_PASSWORD_EXISTING_SECRET="${CATALOG_DEPLOY_CLUSTER_NAME}-pguser-${TEMPORAL_USER}" 10 | fi 11 | 12 | 13 | if [[ -n "${TEMPORAL_CLOUD_HOST:-}" ]]; then 14 | TEMPORAL_HOST="${TEMPORAL_CLOUD_HOST}" 15 | TEMPORAL_DEPLOY_ENABLED=false 16 | else 17 | TEMPORAL_HOST="${TEMPORAL_RELEASE_NAME}-frontend.${PEERDB_K8S_NAMESPACE}.svc.cluster.local" 18 | TEMPORAL_DEPLOY_ENABLED=true 19 | fi 20 | 21 | 22 | # Temporal UI will be proxied through the authentication proxy if authentication is enabled 23 | if [[ "$AUTHENTICATION_ENABLED" == "true" ]]; then 24 | TEMPORAL_UI_SERVICE_TYPE="ClusterIP" 25 | else 26 | TEMPORAL_UI_SERVICE_TYPE="LoadBalancer" 27 | fi 28 | 29 | cat << EOF > peerdb.values.secret.yaml 30 | catalog: 31 | pgHost: "${PG_HOST}" 32 | pgPort: "${PG_PORT}" 33 | pgUser: "${PG_USER}" 34 | pgPassword: "${PG_PASSWORD}" 35 | pgDatabase: "${PEERDB_CATALOG_DATABASE}" 36 | pgAdminDatabase: "${PG_DATABASE}" 37 | deploy: 38 | enabled: ${CATALOG_DEPLOY_ENABLED} 39 | clusterName: "${CATALOG_DEPLOY_CLUSTER_NAME}" 40 | credentialsSecretName: "${PEERDB_CATALOG_CREDS_SECRET_NAME}" 41 | 42 | temporal: 43 | namespace: "${PEERDB_TEMPORAL_NAMESPACE}" 44 | releaseName: "${TEMPORAL_RELEASE_NAME}" 45 | host: "${TEMPORAL_HOST}" 46 | clientCert: "${TEMPORAL_CLOUD_CLIENT_CERT}" 47 | clientKey: "${TEMPORAL_CLOUD_CLIENT_KEY}" 48 | taskQueueId: "${PEERDB_DEPLOYMENT_UID}" 49 | deploy: 50 | enabled: ${TEMPORAL_DEPLOY_ENABLED} 51 | 52 | peerdb: 53 | credentials: 54 | password: "${PEERDB_PASSWORD}" 55 | version: "${PEERDB_VERSION}" 56 | 57 | peerdbUI: 58 | credentials: 59 | password: "${PEERDB_UI_PASSWORD}" 60 | nexauth_secret: "${PEERDB_UI_NEXTAUTH_SECRET}" 61 | service: 62 | url: "${PEERDB_UI_SERVICE_URL}" 63 | aws: 64 | region: "${AWS_REGION}" 65 | roleArn: "${AWS_ROLE_ARN}" 66 | accessKeyId: "${AWS_ACCESS_KEY_ID}" 67 | secretAccessKey: "${AWS_SECRET_ACCESS_KEY}" 68 | 69 | serviceAccount: 70 | name: "${SERVICE_ACCOUNT_NAME}" 71 | 72 | authentication: 73 | enabled: ${AUTHENTICATION_ENABLED} 74 | credentials: 75 | username: "${AUTHENTICATION_CREDENTIALS_USERNAME}" 76 | password: "${AUTHENTICATION_CREDENTIALS_PASSWORD}" 77 | temporal-deploy: 78 | server: 79 | config: 80 | persistence: 81 | default: 82 | sql: 83 | user: "${TEMPORAL_USER}" 84 | password: "${TEMPORAL_PASSWORD}" 85 | existingSecret: "${TEMPORAL_DEFAULT_USER_PASSWORD_EXISTING_SECRET}" 86 | database: "${TEMPORAL_DB}" 87 | tls: 88 | enabled: ${TEMPORAL_SSL_MODE} 89 | host: "${PG_HOST}" 90 | port: "${PG_PORT}" 91 | visibility: 92 | sql: 93 | user: "${TEMPORAL_USER}" 94 | password: "${TEMPORAL_PASSWORD}" 95 | existingSecret: "${TEMPORAL_VISIBILITY_USER_PASSWORD_EXISTING_SECRET}" 96 | database: "${TEMPORAL_VISIBILITY_DB}" 97 | tls: 98 | enabled: ${TEMPORAL_SSL_MODE} 99 | host: "${PG_HOST}" 100 | port: "${PG_PORT}" 101 | web: 102 | service: 103 | type: "${TEMPORAL_UI_SERVICE_TYPE}" 104 | datadog: 105 | enabled: $DATADOG_ENABLED 106 | datadog: 107 | site: $DATADOG_SITE 108 | apiKey: $DATADOG_API_KEY 109 | clusterName: $DATADOG_CLUSTER_NAME 110 | containerInclude: "kube_namespace:${PEERDB_K8S_NAMESPACE}" 111 | 112 | global: 113 | peerdb: 114 | enterprise: 115 | saveCustomerValuesAsSecret: ${SAVE_VALUES_AS_SECRET} 116 | 117 | EOF 118 | --------------------------------------------------------------------------------