Changeset - 768a373ff151
[Not reviewed]
default
0 2 1
drewp@bigasterisk.com - 18 months ago 2023-04-09 23:35:33
drewp@bigasterisk.com
add postgres for session storage
3 files changed with 100 insertions and 0 deletions:
0 comments (0 inline, 0 general)
20-kube/06-postgres.yaml
Show inline comments
 
new file 100644
 
apiVersion: v1
 
kind: PersistentVolume
 
metadata:
 
  name: pomerium-db-data
 
  labels:
 
    type: local
 
spec:
 
  storageClassName: manual
 
  hostPath:
 
    path: "/opt/pomerium-db"
 
  capacity:
 
    storage: 50Gi
 
  accessModes:
 
    - ReadWriteOnce
 
  persistentVolumeReclaimPolicy: Retain
 
  claimRef:
 
    namespace: pomerium
 
    name: pomerium-db-data
 
---
 
apiVersion: v1
 
kind: PersistentVolumeClaim
 
metadata:
 
  namespace: pomerium
 
  name: pomerium-db-data
 
spec:
 
  storageClassName: ""
 
  volumeName: "pomerium-db-data"
 
  accessModes:
 
    - ReadWriteOnce
 
  resources:
 
    requests:
 
      storage: 50Gi
 
---
 
apiVersion: apps/v1
 
kind: Deployment
 
metadata:
 
  namespace: pomerium
 
  name: pomerium-db
 
spec:
 
  replicas: 1
 
  strategy: {type: Recreate}
 
  selector:
 
    matchLabels:
 
      app: pomerium-db
 
  template:
 
    metadata:
 
      labels:
 
        app: pomerium-db
 
      annotations:
 
        prometheus.io/scrape: "false"
 
    spec:
 
      volumes:
 
        - name: pomerium-db-data
 
          persistentVolumeClaim:
 
            claimName: pomerium-db-data
 
      containers:
 
        # see /my/serv/photoprism/deploy.yaml for exporter example (for mariadb)
 
        - name: pomerium-db
 
          image: postgres:14.2-alpine3.15
 
          env:
 
          - {name: POSTGRES_PASSWORD, value: admin}
 
          - {name: POSTGRES_DB, value: pomerium}
 
          ports:
 
          - containerPort: 5432
 
          volumeMounts:
 
          - name: pomerium-db-data
 
            mountPath:  /var/lib/postgresql/data
 
      affinity:
 
        nodeAffinity:
 
          requiredDuringSchedulingIgnoredDuringExecution:
 
            nodeSelectorTerms:
 
            - matchExpressions:
 
              - key: "kubernetes.io/hostname"
 
                operator: In
 
                values: ["ditto"]
 
---
 
apiVersion: v1
 
kind: Service
 
metadata:
 
  namespace: pomerium
 
  name: pomerium-db
 
spec:
 
  ports:
 
  - port: 5432
 
    targetPort: 5432
 
  selector:
 
    app: pomerium-db
 
---
 
apiVersion: v1
 
kind: Secret
 
metadata:
 
  namespace: pomerium
 
  name: postgres-connection-key
 
type: Opaque
 
stringData: 
 
  connection: postgresql://pom:pom@pomerium-db/pomerium
20-kube/10-pom-pom.yaml
Show inline comments
 
apiVersion: ingress.pomerium.io/v1
 
kind: Pomerium
 
metadata:
 
  name: global
 
spec:
 
  secrets: pomerium/bootstrap
 
  authenticate:
 
    url: https://authenticate.bigasterisk.com
 
  identityProvider:
 
    provider: oidc
 
    url: https://accounts.google.com
 
    scopes:
 
      - openid
 
      - email
 
      # adds name+locale to user details
 
      - profile
 
    secret: pomerium/idp
 
  storage:
 
    postgres:
 
      secret: pomerium/postgres-connection-key
 

	
 
  # Note pom won't start up if this cert doesn't exist, so you have to run once
 
  # with it commented out, then after cert success, run again with it enabled.
 
  certificates: [pomerium/pomerium-proxy-tls]
20-kube/skaffold.yaml
Show inline comments
 
apiVersion: skaffold/v3
 
kind: Config
 
metadata:
 
  name: pomerium
 
manifests:
 
  rawYaml:
 
    - 05-idp-secret.yaml
 
    - 06-postgres.yaml
 
    - 10-pom-pom.yaml
 
    - 20-pom-deploy.yaml
 
    - 21-pom-svc.yaml
0 comments (0 inline, 0 general)