-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
48e2923
commit 9c87c5d
Showing
8 changed files
with
1,020 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: cert-manager.io/v1 | ||
kind: Certificate | ||
metadata: | ||
name: couchdb-tls | ||
namespace: couchdb | ||
spec: | ||
issuerRef: | ||
name: lets-encrypt | ||
kind: ClusterIssuer | ||
group: cert-manager.io | ||
secretName: couchdb-tls-cert | ||
commonName: couchdb1.hhouse.us | ||
dnsNames: | ||
- couchdb1.hhouse.us |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
namespace: couchdb | ||
|
||
resources: | ||
- namespace.yaml | ||
- op-secret.yaml | ||
- certificates/ingress-cert.yaml | ||
|
||
helmCharts: | ||
- name: couchdb | ||
repo: https://apache.github.io/couchdb-helm | ||
releaseName: couchdb | ||
namespace: couchdb | ||
version: 4.5.3 | ||
valuesFile: values.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
labels: | ||
kubernetes.io/metadata.name: couchdb | ||
istio-injection: enabled | ||
annotations: | ||
operator.1password.io/auto-restart: "true" | ||
name: couchdb |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
apiVersion: onepassword.com/v1 | ||
kind: OnePasswordItem | ||
metadata: | ||
name: couchdb-couchdb #this name will also be used for naming the generated kubernetes secret | ||
namespace: couchdb | ||
spec: | ||
itemPath: "vaults/k8s-prod/items/couchdb-secret" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,296 @@ | ||
# -- the initial number of nodes in the CouchDB cluster. | ||
clusterSize: 1 | ||
|
||
# -- If allowAdminParty is enabled the cluster will start up without any database | ||
# administrator account; i.e., all users will be granted administrative | ||
# access. Otherwise, the system will look for a Secret called | ||
# <ReleaseName>-couchdb containing `adminUsername`, `adminPassword` and | ||
# `cookieAuthSecret` keys. See the `createAdminSecret` flag. | ||
# ref: https://kubernetes.io/docs/concepts/configuration/secret/ | ||
allowAdminParty: false | ||
|
||
# Set it to true to automatically enable the cluster after installation. | ||
# It will create a post-install job that will send the {"action": "finish_cluster"} | ||
# message to CouchDB to finalize the cluster and add the defaultDatabases listed. | ||
# Note that this job needs service.enabled to be set to true and if you use adminHash, | ||
# a valid adminPassword in the secret. Also set the --wait flag when you install to | ||
# avoid first jobs failure (helm install --wait ...) | ||
autoSetup: | ||
enabled: false | ||
image: | ||
repository: curlimages/curl | ||
tag: latest | ||
pullPolicy: Always | ||
defaultDatabases: | ||
- _global_changes | ||
|
||
# -- If createAdminSecret is enabled a Secret called <ReleaseName>-couchdb will | ||
# be created containing auto-generated credentials. Users who prefer to set | ||
# these values themselves have a couple of options: | ||
# | ||
# 1) The `adminUsername`, `adminPassword`, `adminHash`, and `cookieAuthSecret` | ||
# can be defined directly in the chart's values. Note that all of a chart's | ||
# values are currently stored in plaintext in a ConfigMap in the tiller | ||
# namespace. | ||
# | ||
# 2) This flag can be disabled and a Secret with the required keys can be | ||
# created ahead of time. | ||
createAdminSecret: false | ||
|
||
#adminUsername: admin | ||
# adminPassword: this_is_not_secure | ||
# adminHash: -pbkdf2-this_is_not_necessarily_secure_either | ||
# cookieAuthSecret: neither_is_this | ||
|
||
## When enabled, will deploy a networkpolicy that allows CouchDB pods to | ||
## communicate with each other for clustering and ingress on port 5984 | ||
networkPolicy: | ||
enabled: true | ||
|
||
## Use an alternate scheduler, e.g. "stork". | ||
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ | ||
## | ||
# schedulerName: | ||
|
||
# Use a service account | ||
serviceAccount: | ||
enabled: true | ||
create: true | ||
# name: | ||
|
||
# imagePullSecrets: | ||
# - name: myimagepullsecret | ||
|
||
# -- The storage volume used by each Pod in the StatefulSet. If a | ||
# persistentVolume is not enabled, the Pods will use `emptyDir` ephemeral | ||
# local storage. Setting the storageClass attribute to "-" disables dynamic | ||
# provisioning of Persistent Volumes; leaving it unset will invoke the default | ||
# provisioner. | ||
persistentVolume: | ||
enabled: true | ||
# NOTE: the number of existing claims must match the cluster size | ||
existingClaims: [] | ||
annotations: {} | ||
accessModes: | ||
- ReadWriteOnce | ||
size: 10Gi | ||
#storageClass: "-" | ||
|
||
# Experimental - FEATURE STATE: Kubernetes v1.27 [beta] | ||
# Field controls if and how PVCs are deleted during the lifecycle | ||
# of a StatefulSet | ||
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention | ||
persistentVolumeClaimRetentionPolicy: | ||
enabled: false | ||
whenScaled: Retain | ||
whenDeleted: Retain | ||
|
||
## The CouchDB image | ||
image: | ||
repository: couchdb | ||
tag: 3.3.3 | ||
pullPolicy: IfNotPresent | ||
|
||
## Experimental integration with Lucene-powered fulltext search | ||
searchImage: | ||
repository: kocolosk/couchdb-search | ||
tag: 0.2.0 | ||
pullPolicy: IfNotPresent | ||
|
||
# -- Flip this to flag to include the Search container in each Pod | ||
enableSearch: false | ||
|
||
initImage: | ||
repository: busybox | ||
tag: latest | ||
pullPolicy: Always | ||
|
||
## CouchDB is happy to spin up cluster nodes in parallel, but if you encounter | ||
## problems you can try setting podManagementPolicy to the StatefulSet default | ||
## `OrderedReady` | ||
podManagementPolicy: Parallel | ||
|
||
## To better tolerate Node failures, we can prevent Kubernetes scheduler from | ||
## assigning more than one Pod of CouchDB StatefulSet per Node using podAntiAffinity. | ||
affinity: {} | ||
# podAntiAffinity: | ||
# requiredDuringSchedulingIgnoredDuringExecution: | ||
# - labelSelector: | ||
# matchExpressions: | ||
# - key: "app" | ||
# operator: In | ||
# values: | ||
# - couchdb | ||
# topologyKey: "kubernetes.io/hostname" | ||
|
||
## To control how Pods are spread across your cluster among failure-domains such as regions, | ||
## zones, nodes, and other user-defined topology domains use topologySpreadConstraints. | ||
topologySpreadConstraints: {} | ||
# topologySpreadConstraints: | ||
# - maxSkew: 1 | ||
# topologyKey: "topology.kubernetes.io/zone" | ||
# whenUnsatisfiable: ScheduleAnyway | ||
# labelSelector: | ||
# matchLabels: | ||
# app: couchdb | ||
|
||
## Optional pod labels | ||
labels: {} | ||
|
||
## Optional pod annotations | ||
annotations: {} | ||
|
||
## Optional tolerations | ||
tolerations: [] | ||
|
||
## A StatefulSet requires a headless Service to establish the stable network | ||
## identities of the Pods, and that Service is created automatically by this | ||
## chart without any additional configuration. The Service block below refers | ||
## to a second Service that governs how clients connect to the CouchDB cluster. | ||
service: | ||
annotations: {} | ||
enabled: true | ||
type: ClusterIP | ||
externalPort: 5984 | ||
targetPort: 5984 | ||
labels: {} | ||
extraPorts: [] | ||
# - name: sqs | ||
# port: 4984 | ||
# targetPort: 4984 | ||
# protocol: TCP | ||
|
||
## If you need to expose any additional ports on the CouchDB container, for example | ||
## if you're running CouchDB container with additional processes that need to | ||
## be accessible outside of the pod, you can define them here. | ||
extraPorts: [] | ||
# - name: sqs | ||
# containerPort: 4984 | ||
|
||
## An Ingress resource can provide name-based virtual hosting and TLS | ||
## termination among other things for CouchDB deployments which are accessed | ||
## from outside the Kubernetes cluster. | ||
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ | ||
ingress: | ||
enabled: true | ||
className: nginx | ||
hosts: | ||
- couchdb1.hhouse.us | ||
path: / | ||
annotations: {} | ||
# kubernetes.io/ingress.class: nginx | ||
# kubernetes.io/tls-acme: "true" | ||
tls: | ||
# Secrets must be manually created in the namespace. | ||
- secretName: couchdb-tls-cert | ||
hosts: | ||
- couchdb1.hhouse.u | ||
|
||
## Optional resource requests and limits for the CouchDB container | ||
## ref: http://kubernetes.io/docs/user-guide/compute-resources/ | ||
resources: {} | ||
# requests: | ||
# cpu: 100m | ||
# memory: 128Mi | ||
# limits: | ||
# cpu: 56 | ||
# memory: 256Gi | ||
|
||
## Optional resource requests and limits for the CouchDB init container | ||
## ref: http://kubernetes.io/docs/user-guide/compute-resources/ | ||
initResources: {} | ||
# requests: | ||
# cpu: 100m | ||
# memory: 128Mi | ||
# limits: | ||
# cpu: 500m | ||
# memory: 128Mi | ||
|
||
# -- erlangFlags is a map that is passed to the Erlang VM as flags using the | ||
# ERL_FLAGS env. The `name` flag is required to establish connectivity | ||
# between cluster nodes. | ||
# ref: http://erlang.org/doc/man/erl.html#init_flags | ||
erlangFlags: | ||
name: couchdb | ||
# Older versions of the official CouchDB image (anything prior to 3.2.1) | ||
# do not act on the COUCHDB_ERLANG_COOKIE environment variable, so if you | ||
# want to cluster these deployments it's necessary to pass in a cookie here | ||
# setcookie: make-something-up | ||
|
||
# -- couchdbConfig will override default CouchDB configuration settings. | ||
# The contents of this map are reformatted into a .ini file laid down | ||
# by a ConfigMap object. | ||
# ref: http://docs.couchdb.org/en/latest/config/index.html | ||
couchdbConfig: | ||
couchdb: | ||
uuid: 97438a660ff144ef9613d06f9e65a68b # Unique identifier for this CouchDB server instance | ||
# cluster: | ||
# q: 8 # Create 8 shards for each database | ||
chttpd: | ||
bind_address: any | ||
# chttpd.require_valid_user disables all the anonymous requests to the port | ||
# 5984 when is set to true. | ||
require_valid_user: false | ||
# required to use Fauxton if chttpd.require_valid_user is set to true | ||
# httpd: | ||
# WWW-Authenticate: "Basic realm=\"administrator\"" | ||
|
||
# Kubernetes local cluster domain. | ||
# This is used to generate FQDNs for peers when joining the CouchDB cluster. | ||
dns: | ||
clusterDomainSuffix: cluster.local | ||
|
||
## Configure liveness and readiness probe values | ||
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes | ||
livenessProbe: | ||
enabled: true | ||
failureThreshold: 3 | ||
initialDelaySeconds: 0 | ||
periodSeconds: 10 | ||
successThreshold: 1 | ||
timeoutSeconds: 1 | ||
readinessProbe: | ||
enabled: true | ||
failureThreshold: 3 | ||
initialDelaySeconds: 0 | ||
periodSeconds: 10 | ||
successThreshold: 1 | ||
timeoutSeconds: 1 | ||
|
||
# Control an optional pod disruption budget | ||
podDisruptionBudget: | ||
# toggle creation of pod disruption budget, disabled by default | ||
enabled: false | ||
# minAvailable: 1 | ||
maxUnavailable: 1 | ||
|
||
# CouchDB 3.2.0 adds in a metrics endpoint on the path `/_node/_local/_prometheus`. | ||
# Optionally, a standalone, unauthenticated port can be exposed for these metrics. | ||
prometheusPort: | ||
enabled: false | ||
bind_address: "0.0.0.0" | ||
port: 17986 | ||
|
||
# Configure arbitrary sidecar containers for CouchDB pods created by the | ||
# StatefulSet | ||
sidecars: {} | ||
# - name: foo | ||
# image: "busybox" | ||
# imagePullPolicy: IfNotPresent | ||
# resources: | ||
# requests: | ||
# cpu: "0.1" | ||
# memory: 10Mi | ||
# command: ['echo "foo";'] | ||
# volumeMounts: | ||
# - name: database-storage | ||
# mountPath: /opt/couchdb/data/ | ||
|
||
# Placement manager to annotate each document in the nodes DB with "zone" attribute | ||
# recording the zone where node has been scheduled | ||
# Ref: https://docs.couchdb.org/en/stable/cluster/sharding.html#specifying-database-placement | ||
placementConfig: | ||
enabled: false | ||
image: | ||
repository: caligrafix/couchdb-autoscaler-placement-manager | ||
tag: 0.1.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.