From eed414555321166fe27542a27bbeb7de988c00ea Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Sun, 17 Sep 2023 11:09:37 +0200
Subject: [PATCH] Add postgresconf

---
 dsmr/postgreshelmconfig.yaml | 214 +++++++++++++++++++++++++++++++++++
 1 file changed, 214 insertions(+)
 create mode 100644 dsmr/postgreshelmconfig.yaml

diff --git a/dsmr/postgreshelmconfig.yaml b/dsmr/postgreshelmconfig.yaml
new file mode 100644
index 0000000..00c0c16
--- /dev/null
+++ b/dsmr/postgreshelmconfig.yaml
@@ -0,0 +1,214 @@
+---
+## Set default image, imageTag, and imagePullPolicy. 
+## ref: https://hub.docker.com/_/postgres
+##
+image:
+  repository: postgres
+  tag: "11.5"
+  pullPolicy: IfNotPresent
+
+  ## Optionally specify an imagePullSecret.
+  ## Secret must be manually created in the namespace.
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  ##
+  # pullSecret: myRegistrKeySecretName
+
+## Expose the nifi service to be accessed from outside the cluster (LoadBalancer service).
+## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
+## ref: http://kubernetes.io/docs/user-guide/services/
+##
+service:
+  type: ClusterIP
+  annotations: {}
+  ## clusterIP:
+
+  ## Set the LoadBalancer service type to internal only.
+  ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+  ##
+  # loadBalancerIP:
+
+  ## Load Balancer sources
+  ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
+  ##
+  # loadBalancerSourceRanges:
+  # - 10.10.10.0/24
+
+## Postgresql values
+postgresql:
+  username: dsmr
+  password: dsmr
+  database: dsmr
+  port: 5432
+  # initdbArgs 
+  # initdbWalDir
+  dataDir: /var/lib/postgresql/data
+# extraEnv
+
+  ## PostgreSQL configuration
+  ## Specify runtime configuration parameters as a dict, using camelCase, e.g.
+  ## {"sharedBuffers": "500MB"}
+  ## Alternatively, you can put your postgresql.conf under the configs/ directory
+  ## ref: https://www.postgresql.org/docs/current/static/runtime-config.html
+  ##
+  #  config: {"sharedBuffers": "500MB"}
+  ## PostgreSQL client authentication configuration
+  ## Specify content for pg_hba.conf
+  ## Default: do not create pg_hba.conf
+  ## Alternatively, you can put your pg_hba.conf under the files/ directory
+  # pghba: |-
+  #   local all all trust
+  #   host all all localhost trust
+  #   host mydatabase mysuser 192.168.0.0/24 md5
+  #initdbscripts: |-
+    #!/bin/sh
+    #echo "helloworld"
+  ## ConfigMap with PostgreSQL configuration
+  ## NOTE: This will override postgresql.config and postgresql.pghba
+  # configMap:
+
+##
+## Init containers parameters:
+## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup
+##
+volumePermissions:
+  enabled: true
+  image:
+    registry: docker.io
+    repository: debian
+    tag: buster-slim
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: Always
+    ## Optionally specify an array of imagePullSecrets.
+    ## Secrets must be manually created in the namespace.
+    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+    ##
+    # pullSecrets:
+    #   - myRegistryKeySecretName
+  ## Init container Security Context
+  securityContext:
+    runAsUser: 0
+
+## Pod Security Context
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+##
+securityContext:
+  enabled: true
+  fsGroup: 1001
+  runAsUser: 1001
+
+ldap:
+  enabled: false
+  pgldapconfig: |-
+    # Reference: https://github.com/larskanis/pg-ldap-sync/blob/master/config/sample-config.yaml
+    # Connection parameters to LDAP server
+    ldap_connection:
+      host: example.com
+      port: 389
+      auth:
+        method: :simple
+        username: cn=admin,dc=example,dc=com
+        password: -password-goes-here-
+
+      # Search parameters for LDAP users which should be synchronized
+    ldap_users:
+      base: OU=People,dc=example,dc=com
+      # LDAP filter (according to RFC 2254)
+      # defines to users in LDAP to be synchronized
+      filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*))
+      # this attribute is used as PG role name
+      name_attribute: sAMAccountName
+      # lowercase name for use as PG role name
+      lowercase_name: true
+    ldap_groups:
+        base: OU=people,dc=example,dc=com
+        filter: (|(cn=group1)(cn=group2)(cn=group3))
+        # this attribute is used as PG role name
+        name_attribute: cn
+        # this attribute must reference to all member DN's of the given group
+        member_attribute: member
+    # Connection parameters to PostgreSQL server
+    # see also: http://rubydoc.info/gems/pg/PG/Connection#initialize-instance_method
+    pg_connection:
+      host: 
+      dbname: postgres # the db name is usually "postgres"
+      user: postgres # the user name is usually "postgres"
+      password: postgres # kubectl get secret --namespace fadi <pod_name> -o jsonpath="{.data.postgresql-password}" | base64 --decode
+    pg_users:
+      # Filter for identifying LDAP generated users in the database.
+      # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
+      filter: rolcanlogin AND NOT rolsuper
+      # Options for CREATE RULE statements
+      create_options: LOGIN
+    pg_groups:
+      # Filter for identifying LDAP generated groups in the database.
+      # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
+      filter: NOT rolcanlogin AND NOT rolsuper
+      # Options for CREATE RULE statements
+      create_options: NOLOGIN
+      grant_options:
+
+  cron:
+    schedule: "*/1 * * * *"
+    repo: ceticasbl/pg-ldap-sync
+    tag: latest
+    restartPolicy: Never
+    mountPath: /workspace
+    subPath: ""
+
+## Enable persistence using Persistent Volume Claims
+## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
+##
+persistence:
+  enabled: true
+  mountPath: /var/lib/postgresql
+  subPath: ""
+  accessModes:  [ReadWriteOnce]
+  ## Storage Capacity for persistent volume
+  size: 10Gi
+  annotations: {}
+  existingClaim: nfs-postgres-claim
+
+## Configure liveness and readiness probes
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+##
+#readinessProbe:
+#  httpGet:
+#    path: /
+#    port: http
+#  initialDelaySeconds: 60
+#  periodSeconds: 15
+#  timeoutSeconds: 10
+#livenessProbe:
+#   httpGet:
+#     path: /
+#     port: http
+#   initialDelaySeconds: 60
+#   periodSeconds: 30
+#   timeoutSeconds: 10
+
+## Configure resource requests and limits
+## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+##
+
+## initdb scripts
+## Specify dictionary of scripts to be run at first boot
+## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory
+##
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #  cpu: 100m
+  #  memory: 128Mi
+  # requests:
+  #  cpu: 100m
+  #  memory: 128Mi
+
+nodeSelector: {}
+tolerations: []
+