add kustomize restore example

Author: codestation

kustomize/README.md

@@ -0,0 +1 @@
+Kustomize example for use in restore.

kustomize/base/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - pgbackrest-config.yaml
+  - pgbackrest-scripts.yaml
+  - pgbackrest-files.yaml
+  - postgres-scripts.yaml
+  - postgres-config.yaml
+  - statefulset.yaml
+  - pvc.yaml
+  - service.yaml

kustomize/base/pgbackrest-config.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pgbackrest-config
+data:
+  # Stanza options
+  PGBACKREST_PG1_PATH: /var/lib/postgresql/data/pgdata
+  # Global options
+  PGBACKREST_LOG_LEVEL_CONSOLE: info
+  PGBACKREST_LOG_LEVEL_FILE: info
+  PGBACKREST_PROCESS_MAX: "4"
+  PGBACKREST_ARCHIVE_ASYNC: "y"
+  # Repo options
+  PGBACKREST_REPO1_BUNDLE: "y"
+  PGBACKREST_REPO1_PATH: /repo
+  PGBACKREST_REPO1_HOST_CA_FILE: /certs/ca.crt
+  PGBACKREST_REPO1_HOST_CERT_FILE: /certs/tls.crt
+  PGBACKREST_REPO1_HOST_KEY_FILE: /certs/tls.key
+  PGBACKREST_REPO1_HOST_TYPE: tls
+  # TLS server options
+  PGBACKREST_TLS_SERVER_ADDRESS: "*"
+  PGBACKREST_TLS_SERVER_CA_FILE: /certs/ca.crt
+  PGBACKREST_TLS_SERVER_CERT_FILE: /certs/tls.crt
+  PGBACKREST_TLS_SERVER_KEY_FILE: /certs/tls.key

kustomize/base/pgbackrest-files.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pgbackrest-files
+data:
+  postgresql.conf: |
+    listen_addresses = '*'
+    max_connections = 100
+    shared_buffers = 128MB
+    dynamic_shared_memory_type = posix
+    max_wal_size = 1GB
+    min_wal_size = 80MB
+    log_timezone = 'Etc/UTC'
+    datestyle = 'iso, mdy'
+    timezone = 'Etc/UTC'
+    lc_messages = 'en_US.utf8'
+    lc_monetary = 'en_US.utf8'
+    lc_numeric = 'en_US.utf8'
+    lc_time = 'en_US.utf8'
+    default_text_search_config = 'pg_catalog.english'
+  pg_hba.conf: |
+    local   all             all                                     trust
+    host    all             all             127.0.0.1/32            trust
+    host    all             all             ::1/128                 trust
+    local   replication     all                                     trust
+    host    replication     all             127.0.0.1/32            trust
+    host    replication     all             ::1/128                 trust
+    host all all all scram-sha-256
+  pg_ident.conf:

kustomize/base/pgbackrest-scripts.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pgbackrest-scripts
+data:
+  restore.sh: |
+    #!/bin/bash
+    set -e
+
+    # look specifically for PG_VERSION, as it is expected in the DB dir
+    if [ -s "$PGDATA/PG_VERSION" ]; then
+      echo "The data directory is not empty. Skipping restore."
+      exit 0
+    fi
+
+    # PGBACKREST_STANZA and PGBACKREST_TARGET must be set
+    if [ -z "${PGBACKREST_STANZA}" ] || [ -z "${PGBACKREST_TARGET}" ]; then
+      echo "PGBACKREST_STANZA and PGBACKREST_TARGET aren't set. Skipping restore."
+      exit 0
+    fi
+
+    pgbackrest restore --stanza="${PGBACKREST_STANZA}" --type=time --target="${PGBACKREST_TARGET}" --target-action=promote --archive-mode=off --log-level-file=info
+
+    # copy postgresql.conf, pg_ident.conf and pg_hba.conf to PGDATA from /defaults if they are missing from PGDATA
+    if [ ! -f "${PGDATA}/postgresql.conf" ]; then
+      cp /defaults/postgresql.conf "${PGDATA}/postgresql.conf"
+    fi
+
+    if [ ! -f "${PGDATA}/pg_hba.conf" ]; then
+      cp /defaults/pg_hba.conf "${PGDATA}/pg_hba.conf"
+    fi
+
+    if [ ! -f "${PGDATA}/pg_ident.conf" ]; then
+      cp /defaults/pg_ident.conf "${PGDATA}/pg_ident.conf"
+    fi

kustomize/base/postgres-config.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-config
+data:
+  PGDATA: /var/lib/postgresql/data/pgdata

kustomize/base/postgres-scripts.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-scripts
+data:
+  init-database.sh: |
+    #!/bin/bash
+    set -eu
+
+    # exit if POSTGRES_DB_USER nor POSTGRES_DB_PASSWORD are set
+    if [ -z "${POSTGRES_DB_USER}" ] || [ -z "${POSTGRES_DB_PASSWORD}" ]; then
+      echo "POSTGRES_DB_USER and POSTGRES_DB_PASSWORD must be set"
+      exit 1
+    fi
+
+    psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "${POSTGRES_DB:-POSTGRES_USER}" <<-EOSQL
+      CREATE USER $POSTGRES_DB_USER WITH PASSWORD '$POSTGRES_DB_PASSWORD';
+      CREATE DATABASE $POSTGRES_DB_NAME OWNER $POSTGRES_DB_USER;
+    EOSQL

kustomize/base/pvc.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgres-pvc
+  labels:
+    app.kubernetes.io/name: postgres
+    app.kubernetes.io/instance: postgres
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

kustomize/base/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres
+  labels:
+    app.kubernetes.io/name: postgres
+    app.kubernetes.io/instance: postgres
+spec:
+  type: ClusterIP
+  ports:
+    - name: postgres
+      port: 5432
+      targetPort: postgres
+  selector:
+    app.kubernetes.io/name: postgres
+    app.kubernetes.io/instance: postgres

kustomize/base/statefulset.yaml

@@ -0,0 +1,118 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres
+  labels:
+    app.kubernetes.io/name: postgres
+    app.kubernetes.io/instance: postgres
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: postgres
+      app.kubernetes.io/instance: postgres
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: postgres
+        app.kubernetes.io/instance: postgres
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 999
+        runAsGroup: 999
+        fsGroup: 999
+      terminationGracePeriodSeconds: 60
+      initContainers:
+        - name: import-base
+          image: ghcr.io/codestation/pgbackrest:2.54.2-postgres17
+          command:
+            - bash
+            - -c
+            - /scripts/restore.sh
+          envFrom:
+            - configMapRef:
+                name: pgbackrest-config
+            - configMapRef:
+                name: postgres-config
+          volumeMounts:
+            - name: pgdata
+              mountPath: /var/lib/postgresql/data
+            - name: pgbackrest-scripts
+              mountPath: /scripts
+            - name: pgbackrest-files
+              mountPath: /defaults
+            - name: pgbackrest-certs
+              mountPath: /certs
+      containers:
+        - name: postgres
+          image: ghcr.io/codestation/postgres:17
+          command: ["docker-entrypoint.sh"]
+          args: ["postgres"]
+          envFrom:
+            - configMapRef:
+                name: postgres-config
+            - configMapRef:
+                name: pgbackrest-config
+            - secretRef:
+                name: postgres-secret
+                optional: true
+          env:
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: postgres-root-credentials
+                  key: username
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgres-root-credentials
+                  key: password
+          ports:
+            - containerPort: 5432
+              name: postgres
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - sh
+                  - -c
+                  - exec pg_ctl stop -D /var/lib/postgresql/data -m fast -w -t 60
+          volumeMounts:
+            - name: pgdata
+              mountPath: /var/lib/postgresql/data
+            - name: shm
+              mountPath: /dev/shm
+            - name: pgbackrest-spooler
+              mountPath: /var/spool/pgbackrest
+            - name: postgres-scripts
+              mountPath: /docker-entrypoint-initdb.d
+            - name: pgbackrest-certs
+              mountPath: /certs
+      volumes:
+        - name: pgdata
+          persistentVolumeClaim:
+            claimName: postgres-pvc
+        - name: shm
+          emptyDir:
+            medium: Memory
+        - name: postgres-scripts
+          configMap:
+            name: postgres-scripts
+            defaultMode: 0755
+        - name: pgbackrest-spooler
+          emptyDir: {}
+        - name: pgbackrest-scripts
+          configMap:
+            name: pgbackrest-scripts
+            defaultMode: 0755
+        - name: pgbackrest-files
+          configMap:
+            name: pgbackrest-files
+            defaultMode: 0600
+        - name: pgbackrest-certs
+          projected:
+            defaultMode: 0600
+            sources:
+              - secret:
+                  name: pgbackrest-certs

kustomize/overlays/restore/kustomization.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: db-restore
+
+resources:
+  - ../../base
+  - pgbackrest-certs.yaml
+  - namespace.yaml
+  - secret.yaml
+
+configMapGenerator:
+  - name: pgbackrest-config
+    behavior: merge
+    envs:
+      - pgbackrest-config.env
+  - name: postgres-config
+    behavior: merge
+    envs:
+      - postgres-config.env

kustomize/overlays/restore/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: db-restore

kustomize/overlays/restore/pgbackrest-certs.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pgbackrest-certs
+type: kubernetes.io/tls
+stringData:
+  ca.crt: |
+    -----BEGIN CERTIFICATE-----
+    ...
+    -----END CERTIFICATE-----
+  tls.crt: |
+    -----BEGIN CERTIFICATE-----
+    ...
+    -----END CERTIFICATE-----
+  tls.key: |
+    -----BEGIN PRIVATE KEY-----
+    ...
+    -----END PRIVATE KEY-----

kustomize/overlays/restore/pgbackrest-config.env

@@ -0,0 +1,4 @@
+PGBACKREST_STANZA=my_pgbackrest_stanza
+PGBACKREST_TARGET=2025-04-01 12:34:00-05:00
+PGBACKREST_REPO1_HOST=pgbackrest.example.com
+PGBACKREST_TLS_SERVER_AUTH=pgbackrest.example.com=*

kustomize/overlays/restore/postgres-config.env

@@ -0,0 +1 @@
+POSTGRES_DB_NAME=my_database_name

kustomize/overlays/restore/secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgres-root-credentials
+  labels:
+    app.kubernetes.io/name: postgres
+    app.kubernetes.io/instance: postgres
+type: kubernetes.io/basic-auth
+stringData:
+  username: postgres
+  password: my_secret_password