Add some operators

k8s/kustomization.yaml

@@ -1,11 +1,12 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./adsb
+  - operators
-  - ./forgejo
+  - adsb
-  - ./generic-device-plugin
+  - forgejo
-  - ./invoiceninja
+  - generic-device-plugin
-  - ./matrix
+  - invoiceninja
-  - ./monitoring
+  - matrix
-  - ./s3staticsites
+  - monitoring
-  - ./shlink
+  - s3staticsites
+  - shlink

k8s/namespaces.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: authentik
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: browsers
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: keycloak

k8s/operators/cert-manager/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+# namespace: cert-manager
+resources:
+  - cert-manager.yaml # source: https://github.com/cert-manager/cert-manager/releases/download/v1.15.0/cert-manager.yaml
+  - secrets.yaml
+  - pdns-hook.yaml
+  - letsencrypt.yaml
+  - selfsigned.yaml
+

k8s/operators/cert-manager/letsencrypt.yaml

@@ -0,0 +1,147 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    email: dns-admin@janky.solutions
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-staging-account-key
+    solvers:
+      - dns01:
+          webhook:
+            groupName: acme.zacharyseguin.ca
+            solverName: pdns
+            config:
+              # Base URL of the PowerDNS server.
+              host: https://dns.janky.solutions
+
+              # Reference to the Kubernetes secret containing the API key.
+              apiKeySecretRef:
+                name: pdns-api-key
+                key: key
+
+              ###
+              ### OPTIONAL
+              ###
+
+              # API Key scheme https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
+              # default: no scheme ""
+              # apiKeyScheme: ""
+
+              # Header name for API key
+              #
+              # This defaults to X-API-Key when unset but supports customizations
+              # e.g. Authorization 
+              # apiKeyHeaderName: ""
+
+              # Server ID for the PowerDNS API.
+              # When unset, defaults to "localhost".
+              #
+              # This should generally be left unset, and used
+              # only if you have a proxy in front of the PowerDNS API
+              # that requires a different value.
+              # serverID: localhost
+
+              # Request headers when connecting to the PowerDNS API.
+              # The following headers are set by default, but can be overriden:
+              #   X-API-Key
+              #   Content-Type
+              # headers:
+              #   Host: dns.janky.solutions
+
+              # CA bundle for TLS connections
+              # When unset, the default system certificate store is used.
+              # caBundle: BASE64_ENCODED_CA_BUNDLE
+
+              # TTL for DNS records
+              # (in seconds)
+              # ttl: 120
+
+              # Timeout for requests to the PDNS api server
+              # (in seconds)
+              # timeout: 30
+
+              # If the server is only allowed to edit certain zones; the
+              # default is an empty list, allowing everything.
+              # *IMPORTANT*: Remember the trailing dot to make the zone-name
+              # fully qualified.
+              # allowed-zones:
+              #   - example.com.
+              #   - example.org.
+              #   - example.net.
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    email: dns-admin@janky.solutions
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-account-key
+    solvers:
+      - dns01:
+          webhook:
+            groupName: acme.zacharyseguin.ca
+            solverName: pdns
+            config:
+              # Base URL of the PowerDNS server.
+              host: https://dns.janky.solutions
+
+              # Reference to the Kubernetes secret containing the API key.
+              apiKeySecretRef:
+                name: pdns-api-key
+                key: key
+
+              ###
+              ### OPTIONAL
+              ###
+
+              # API Key scheme https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
+              # default: no scheme ""
+              # apiKeyScheme: ""
+
+              # Header name for API key
+              #
+              # This defaults to X-API-Key when unset but supports customizations
+              # e.g. Authorization 
+              # apiKeyHeaderName: ""
+
+              # Server ID for the PowerDNS API.
+              # When unset, defaults to "localhost".
+              #
+              # This should generally be left unset, and used
+              # only if you have a proxy in front of the PowerDNS API
+              # that requires a different value.
+              # serverID: localhost
+
+              # Request headers when connecting to the PowerDNS API.
+              # The following headers are set by default, but can be overriden:
+              #   X-API-Key
+              #   Content-Type
+              # headers:
+              #   Host: dns.janky.solutions
+
+              # CA bundle for TLS connections
+              # When unset, the default system certificate store is used.
+              # caBundle: BASE64_ENCODED_CA_BUNDLE
+
+              # TTL for DNS records
+              # (in seconds)
+              # ttl: 120
+
+              # Timeout for requests to the PDNS api server
+              # (in seconds)
+              # timeout: 30
+
+              # If the server is only allowed to edit certain zones; the
+              # default is an empty list, allowing everything.
+              # *IMPORTANT*: Remember the trailing dot to make the zone-name
+              # fully qualified.
+              # allowed-zones:
+              #   - example.com.
+              #   - example.org.
+              #   - example.net.

k8s/operators/cert-manager/pdns-hook.yaml

@@ -0,0 +1,345 @@
+---
+# Source: cert-manager-webhook-pdns/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-webhook-pdns
+  namespace: cert-manager
+  labels:
+    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/version: "v2.5.1"
+    app.kubernetes.io/managed-by: Helm
+---
+# Source: cert-manager-webhook-pdns/templates/rbac.yaml
+# Grant cert-manager permission to validate using our apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-webhook-pdns
+  labels:
+    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/version: "v2.5.1"
+    app.kubernetes.io/managed-by: Helm
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - 'secrets'
+    verbs:
+      - 'get'
+  - apiGroups:
+      - 'flowcontrol.apiserver.k8s.io'
+    resources:
+      - 'flowschemas'
+      - 'prioritylevelconfigurations'
+    verbs:
+      - 'watch'
+      - 'list'
+---
+# Source: cert-manager-webhook-pdns/templates/rbac.yaml
+# Grant cert-manager permission to validate using our apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-webhook-pdns:domain-solver
+  labels:
+    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/version: "v2.5.1"
+    app.kubernetes.io/managed-by: Helm
+rules:
+  - apiGroups:
+      - acme.zacharyseguin.ca
+    resources:
+      - '*'
+    verbs:
+      - 'create'
+---
+# Source: cert-manager-webhook-pdns/templates/rbac.yaml
+# Grant the webhook permission to read the ConfigMap containing the Kubernetes
+# apiserver's requestheader-ca-certificate.
+# This ConfigMap is automatically created by the Kubernetes apiserver.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-webhook-pdns
+  labels:
+    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/version: "v2.5.1"
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-webhook-pdns
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-pdns
+    namespace: cert-manager
+---
+# Source: cert-manager-webhook-pdns/templates/rbac.yaml
+# apiserver gets the auth-delegator role to delegate auth decisions to
+# the core apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-webhook-pdns:auth-delegator
+  labels:
+    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/version: "v2.5.1"
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-pdns
+    namespace: cert-manager
+---
+# Source: cert-manager-webhook-pdns/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-webhook-pdns:domain-solver
+  labels:
+    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/version: "v2.5.1"
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-webhook-pdns:domain-solver
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager
+    namespace: cert-manager
+---
+# Source: cert-manager-webhook-pdns/templates/rbac.yaml
+# Grant the webhook permission to read the ConfigMap containing the Kubernetes
+# apiserver's requestheader-ca-certificate.
+# This ConfigMap is automatically created by the Kubernetes apiserver.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook-pdns:webhook-authentication-reader
+  namespace: kube-system
+  labels:
+    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/version: "v2.5.1"
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-pdns
+    namespace: cert-manager
+---
+# Source: cert-manager-webhook-pdns/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: cert-manager-webhook-pdns
+  namespace: cert-manager
+  labels:
+    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/version: "v2.5.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+  ports:
+    - port: 443
+      targetPort: https
+      protocol: TCP
+      name: https
+  selector:
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+---
+# Source: cert-manager-webhook-pdns/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cert-manager-webhook-pdns
+  namespace: cert-manager
+  labels:
+    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/version: "v2.5.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: cert-manager-webhook-pdns
+      app.kubernetes.io/instance: cert-manager-webhook-pdns
+  template:
+    metadata:
+      labels:
+        helm.sh/chart: cert-manager-webhook-pdns-3.1.3
+        app.kubernetes.io/name: cert-manager-webhook-pdns
+        app.kubernetes.io/instance: cert-manager-webhook-pdns
+        app.kubernetes.io/version: "v2.5.1"
+        app.kubernetes.io/managed-by: Helm
+    spec:
+      serviceAccountName: cert-manager-webhook-pdns
+      containers:
+        - name: cert-manager-webhook-pdns
+          image: "docker.io/zachomedia/cert-manager-webhook-pdns:latest"
+          imagePullPolicy: IfNotPresent
+          args:
+            - --tls-cert-file=/tls/tls.crt
+            - --tls-private-key-file=/tls/tls.key
+            - --secure-port=8443
+          env:
+            - name: GROUP_NAME
+              value: "acme.zacharyseguin.ca"
+          ports:
+            - name: https
+              containerPort: 8443
+              protocol: TCP
+          securityContext:
+            runAsGroup: 100
+            runAsUser: 100
+          livenessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /healthz
+              port: https
+          readinessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /healthz
+              port: https
+          volumeMounts:
+            - name: certs
+              mountPath: /tls
+              readOnly: true
+          resources:
+            {}
+      volumes:
+        - name: certs
+          secret:
+            secretName: cert-manager-webhook-pdns-webhook-tls
+---
+# Source: cert-manager-webhook-pdns/templates/apiservice.yaml
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.acme.zacharyseguin.ca
+  namespace: cert-manager
+  labels:
+    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/version: "v2.5.1"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    cert-manager.io/inject-ca-from: "cert-manager/cert-manager-webhook-pdns-webhook-tls"
+spec:
+  group: acme.zacharyseguin.ca
+  groupPriorityMinimum: 1000
+  versionPriority: 15
+  service:
+    name: cert-manager-webhook-pdns
+    namespace: cert-manager
+  version: v1alpha1
+---
+# Source: cert-manager-webhook-pdns/templates/pki.yaml
+# Generate a CA Certificate used to sign certificates for the webhook
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cert-manager-webhook-pdns-ca
+  namespace: "cert-manager"
+  labels:
+    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/version: "v2.5.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  secretName: cert-manager-webhook-pdns-ca
+  duration: 43800h0m0s # 5y
+  issuerRef:
+    name: cert-manager-webhook-pdns-selfsign
+  commonName: "ca.cert-manager-webhook-pdns.cert-manager"
+  isCA: true
+---
+# Source: cert-manager-webhook-pdns/templates/pki.yaml
+# Finally, generate a serving certificate for the webhook to use
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cert-manager-webhook-pdns-webhook-tls
+  namespace: "cert-manager"
+  labels:
+    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/version: "v2.5.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  secretName: cert-manager-webhook-pdns-webhook-tls
+  duration: 8760h0m0s # 1y
+  issuerRef:
+    name: cert-manager-webhook-pdns-ca
+  dnsNames:
+  - cert-manager-webhook-pdns
+  - cert-manager-webhook-pdns.cert-manager
+  - cert-manager-webhook-pdns.cert-manager.svc
+---
+# Source: cert-manager-webhook-pdns/templates/pki.yaml
+# Create a selfsigned Issuer, in order to create a root CA certificate for
+# signing webhook serving certificates
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: cert-manager-webhook-pdns-selfsign
+  namespace: "cert-manager"
+  labels:
+    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/version: "v2.5.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  selfSigned: {}
+---
+# Source: cert-manager-webhook-pdns/templates/pki.yaml
+# Create an Issuer that uses the above generated CA certificate to issue certs
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: cert-manager-webhook-pdns-ca
+  namespace: "cert-manager"
+  labels:
+    helm.sh/chart: cert-manager-webhook-pdns-3.1.3
+    app.kubernetes.io/name: cert-manager-webhook-pdns
+    app.kubernetes.io/instance: cert-manager-webhook-pdns
+    app.kubernetes.io/version: "v2.5.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  ca:
+    secretName: cert-manager-webhook-pdns-ca

k8s/operators/cert-manager/selfsigned.yaml

@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}

k8s/operators/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - postgres-operator
+  - cert-manager

k8s/operators/postgres-operator/api-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres-operator
+spec:
+  type: ClusterIP
+  ports:
+  - port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    name: postgres-operator

k8s/operators/postgres-operator/configmap.yaml

@@ -0,0 +1,173 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-operator
+data:
+  # additional_owner_roles: "cron_admin"
+  # additional_pod_capabilities: "SYS_NICE"
+  # additional_secret_mount: "some-secret-name"
+  # additional_secret_mount_path: "/some/dir"
+  api_port: "8080"
+  aws_region: eu-central-1
+  cluster_domain: cluster.local
+  cluster_history_entries: "1000"
+  cluster_labels: application:spilo
+  cluster_name_label: k8s.home.finn.io
+  connection_pooler_default_cpu_limit: "1"
+  connection_pooler_default_cpu_request: "500m"
+  connection_pooler_default_memory_limit: 100Mi
+  connection_pooler_default_memory_request: 100Mi
+  connection_pooler_image: "registry.opensource.zalan.do/acid/pgbouncer:master-32"
+  # connection_pooler_max_db_connections: 60
+  # connection_pooler_mode: "transaction"
+  # connection_pooler_number_of_instances: 2
+  # connection_pooler_schema: "pooler"
+  # connection_pooler_user: "pooler"
+  crd_categories: "all"
+  # custom_service_annotations: "keyx:valuez,keya:valuea"
+  # custom_pod_annotations: "keya:valuea,keyb:valueb"
+  db_hosted_zone: k8s.home.finn.io
+  debug_logging: "true"
+  default_cpu_limit: "1"
+  default_cpu_request: 100m
+  default_memory_limit: 500Mi
+  default_memory_request: 100Mi
+  # delete_annotation_date_key: delete-date
+  # delete_annotation_name_key: delete-clustername
+  docker_image: ghcr.io/zalando/spilo-16:3.2-p3
+  # downscaler_annotations: "deployment-time,downscaler/*"
+  # enable_admin_role_for_users: "true"
+  # enable_crd_registration: "true"
+  # enable_cross_namespace_secret: "false"
+  enable_finalizers: "false"
+  # enable_database_access: "true"
+  enable_ebs_gp3_migration: "false"
+  # enable_ebs_gp3_migration_max_size: "1000"
+  # enable_init_containers: "true"
+  # enable_lazy_spilo_upgrade: "false"
+  enable_master_load_balancer: "false"
+  enable_master_pooler_load_balancer: "false"
+  enable_password_rotation: "false"
+  enable_patroni_failsafe_mode: "false"
+  enable_secrets_deletion: "true"
+  enable_persistent_volume_claim_deletion: "true"
+  enable_pgversion_env_var: "true"
+  # enable_pod_antiaffinity: "false"
+  # enable_pod_disruption_budget: "true"
+  # enable_postgres_team_crd: "false"
+  # enable_postgres_team_crd_superusers: "false"
+  enable_readiness_probe: "false"
+  enable_replica_load_balancer: "false"
+  enable_replica_pooler_load_balancer: "false"
+  # enable_shm_volume: "true"
+  # enable_sidecars: "true"
+  enable_spilo_wal_path_compat: "true"
+  enable_team_id_clustername_prefix: "false"
+  enable_team_member_deprecation: "false"
+  # enable_team_superuser: "false"
+  enable_teams_api: "false"
+  # etcd_host: ""
+  external_traffic_policy: "Cluster"
+  # gcp_credentials: ""
+  # ignored_annotations: ""
+  # infrastructure_roles_secret_name: "postgresql-infrastructure-roles"
+  # infrastructure_roles_secrets: "secretname:monitoring-roles,userkey:user,passwordkey:password,rolekey:inrole"
+  # ignore_instance_limits_annotation_key: ""
+  # inherited_annotations: owned-by
+  # inherited_labels: application,environment
+  # kube_iam_role: ""
+  # kubernetes_use_configmaps: "false"
+  # log_s3_bucket: ""
+  # logical_backup_azure_storage_account_name: ""
+  # logical_backup_azure_storage_container: ""
+  # logical_backup_azure_storage_account_key: ""
+  # logical_backup_cpu_limit: ""
+  # logical_backup_cpu_request: ""
+  logical_backup_docker_image: "ghcr.io/zalando/postgres-operator/logical-backup:v1.12.2"
+  # logical_backup_google_application_credentials: ""
+  logical_backup_job_prefix: "logical-backup-"
+  # logical_backup_memory_limit: ""
+  # logical_backup_memory_request: ""
+  logical_backup_provider: "s3"
+  logical_backup_s3_bucket: k8s-db-backups
+  # logical_backup_s3_bucket_prefix: "spilo"
+  logical_backup_s3_region: us-sea-1
+  logical_backup_s3_endpoint: storage.home.finn.io
+  # logical_backup_s3_secret_access_key: ""
+  # logical_backup_s3_access_key_id: ""
+  logical_backup_s3_sse: "AES256"
+  # logical_backup_s3_retention_time: ""
+  logical_backup_schedule: "5/* * * * *" # set to agressively frequent to test, used to be 30 00 * * * 
+  logical_backup_cronjob_environment_secret: backups-secret
+  major_version_upgrade_mode: "manual"
+  # major_version_upgrade_team_allow_list: ""
+  master_dns_name_format: "{cluster}.{namespace}.{hostedzone}"
+  # master_legacy_dns_name_format: "{cluster}.{team}.{hostedzone}"
+  # master_pod_move_timeout: 20m
+  # max_instances: "-1"
+  # min_instances: "-1"
+  # max_cpu_request: "1"
+  # max_memory_request: 4Gi
+  # min_cpu_limit: 250m
+  # min_memory_limit: 250Mi
+  # minimal_major_version: "12"
+  # node_readiness_label: "status:ready"
+  # node_readiness_label_merge: "OR"
+  # oauth_token_secret_name: postgresql-operator
+  # pam_configuration: |
+  #  https://info.example.com/oauth2/tokeninfo?access_token= uid realm=/employees
+  # pam_role_name: zalandos
+  patroni_api_check_interval: "1s"
+  patroni_api_check_timeout: "5s"
+  # password_rotation_interval: "90"
+  # password_rotation_user_retention: "180"
+  pdb_master_label_selector: "true"
+  pdb_name_format: "postgres-{cluster}-pdb"
+  persistent_volume_claim_retention_policy: "when_deleted:retain,when_scaled:retain"
+  # pod_antiaffinity_preferred_during_scheduling: "false"
+  # pod_antiaffinity_topology_key: "kubernetes.io/hostname"
+  pod_deletion_wait_timeout: 10m
+  # pod_environment_configmap: "default/my-custom-config"
+  # pod_environment_secret: "my-custom-secret"
+  pod_label_wait_timeout: 10m
+  pod_management_policy: "ordered_ready"
+  # pod_priority_class_name: "postgres-pod-priority"
+  pod_role_label: spilo-role
+  # pod_service_account_definition: ""
+  pod_service_account_name: "postgres-pod"
+  # pod_service_account_role_binding_definition: ""
+  pod_terminate_grace_period: 5m
+  # postgres_superuser_teams: "postgres_superusers"
+  # protected_role_names: "admin,cron_admin"
+  ready_wait_interval: 3s
+  ready_wait_timeout: 30s
+  repair_period: 5m
+  replica_dns_name_format: "{cluster}-repl.{namespace}.{hostedzone}"
+  # replica_legacy_dns_name_format: "{cluster}-repl.{team}.{hostedzone}"
+  replication_username: standby
+  resource_check_interval: 3s
+  resource_check_timeout: 10m
+  resync_period: 30m
+  ring_log_lines: "100"
+  role_deletion_suffix: "_deleted"
+  secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
+  share_pgsocket_with_sidecars: "false"
+  # sidecar_docker_images: ""
+  # set_memory_request_to_limit: "false"
+  spilo_allow_privilege_escalation: "true"
+  # spilo_runasuser: 101
+  # spilo_runasgroup: 103
+  # spilo_fsgroup: 103
+  spilo_privileged: "false"
+  storage_resize_mode: "pvc"
+  super_username: postgres
+  # target_major_version: "16"
+  # team_admin_role: "admin"
+  # team_api_role_configuration: "log_statement:all"
+  # teams_api_url: http://fake-teams-api.default.svc.cluster.local
+  # toleration: "key:db-only,operator:Exists,effect:NoSchedule"
+  # wal_az_storage_account: ""
+  # wal_gs_bucket: ""
+  # wal_s3_bucket: k8s-db-backups
+  watched_namespace: "*"  # listen to all namespaces
+  workers: "8"

k8s/operators/postgres-operator/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: postgres-operator
+resources:
+  - namespace.yaml
+  - operator-service-account-rbac.yaml
+  - postgres-operator.yaml
+  - configmap.yaml
+  - api-service.yaml
+  - secrets.yaml

k8s/operators/postgres-operator/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: postgres-operator

k8s/operators/postgres-operator/operator-service-account-rbac.yaml

@@ -0,0 +1,286 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgres-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: postgres-operator
+rules:
+# all verbs allowed for custom operator resources
+- apiGroups:
+  - acid.zalan.do
+  resources:
+  - postgresqls
+  - postgresqls/status
+  - operatorconfigurations
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+# operator only reads PostgresTeams
+- apiGroups:
+  - acid.zalan.do
+  resources:
+  - postgresteams
+  verbs:
+  - get
+  - list
+  - watch
+# all verbs allowed for event streams (Zalando-internal feature)
+# - apiGroups:
+#   - zalando.org
+#   resources:
+#   - fabriceventstreams
+#   verbs:
+#   - create
+#   - delete
+#   - deletecollection
+#   - get
+#   - list
+#   - patch
+#   - update
+#   - watch
+# to create or get/update CRDs when starting up
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+# to read configuration from ConfigMaps
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+# to send events to the CRs
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+# to manage endpoints which are also used by Patroni
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+# to CRUD secrets for database access
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - update
+# to check nodes for node readiness label
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+# to read or delete existing PVCs. Creation via StatefulSet
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - delete
+  - get
+  - list
+  - patch
+  - update
+ # to read existing PVs. Creation should be done via dynamic provisioning
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - update  # only for resizing AWS volumes
+# to watch Spilo pods and do rolling updates. Creation via StatefulSet
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+# to resize the filesystem in Spilo pods when increasing volume size
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
+# to CRUD services to point to Postgres cluster instances
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - patch
+  - update
+# to CRUD the StatefulSet which controls the Postgres cluster instances
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  - deployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+# to CRUD cron jobs for logical backups
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+# to get namespaces operator resources can run in
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+# to define PDBs. Update happens via delete/create
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - get
+# to create ServiceAccounts in each namespace the operator watches
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - create
+# to create role bindings to the postgres-pod service account
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - get
+  - create
+# to grant privilege to run privileged pods (not needed by default)
+#- apiGroups:
+#  - extensions
+#  resources:
+#  - podsecuritypolicies
+#  resourceNames:
+#  - privileged
+#  verbs:
+#  - use
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: postgres-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: postgres-operator
+subjects:
+- kind: ServiceAccount
+  name: postgres-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: postgres-pod
+rules:
+# Patroni needs to watch and manage endpoints
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+# Patroni needs to watch pods
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+# to let Patroni create a headless service
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+# to grant privilege to run privileged pods (not needed by default)
+#- apiGroups:
+#  - extensions
+#  resources:
+#  - podsecuritypolicies
+#  resourceNames:
+#  - privileged
+#  verbs:
+#  - use

k8s/operators/postgres-operator/postgres-operator.yaml

@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: postgres-operator
+  labels:
+    application: postgres-operator
+spec:
+  replicas: 1
+  strategy:
+    type: "Recreate"
+  selector:
+    matchLabels:
+      name: postgres-operator
+  template:
+    metadata:
+      labels:
+        name: postgres-operator
+    spec:
+      serviceAccountName: postgres-operator
+      containers:
+      - name: postgres-operator
+        image: ghcr.io/zalando/postgres-operator:v1.12.2
+        imagePullPolicy: IfNotPresent
+        resources:
+          requests:
+            cpu: 100m
+            memory: 250Mi
+          limits:
+            cpu: 500m
+            memory: 500Mi
+        securityContext:
+          runAsUser: 1000
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        env:
+        # provided additional ENV vars can overwrite individual config map entries
+        - name: CONFIG_MAP_NAME
+          value: "postgres-operator"
+        # In order to use the CRD OperatorConfiguration instead, uncomment these lines and comment out the two lines above
+        # - name: POSTGRES_OPERATOR_CONFIGURATION_OBJECT
+        #  value: postgresql-operator-default-configuration
+        # Define an ID to isolate controllers from each other
+        # - name: CONTROLLER_ID
+        #   value: "second-operator"