From 0f0a9319f200be74c28fd6dfb34b0948cc4141a8 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Mon, 4 Nov 2024 15:02:13 +0000 Subject: [PATCH 1/8] First pass of changes for license-key free installation Signed-off-by: Dj Walker-Morgan --- .../1/installation_upgrade.mdx | 72 +++++++++++++++++-- .../1/license_keys.mdx | 8 +-- .../postgres_for_kubernetes/1/openshift.mdx | 32 +++++++++ ...egistry.mdx => private_edb_registries.mdx} | 7 +- .../postgres_for_kubernetes/1/quickstart.mdx | 35 +++++---- 5 files changed, 129 insertions(+), 25 deletions(-) rename product_docs/docs/postgres_for_kubernetes/1/{private_edb_registry.mdx => private_edb_registries.mdx} (96%) diff --git a/product_docs/docs/postgres_for_kubernetes/1/installation_upgrade.mdx b/product_docs/docs/postgres_for_kubernetes/1/installation_upgrade.mdx index 33b94841bed..eeed1a342c5 100644 --- a/product_docs/docs/postgres_for_kubernetes/1/installation_upgrade.mdx +++ b/product_docs/docs/postgres_for_kubernetes/1/installation_upgrade.mdx @@ -14,6 +14,40 @@ originalFilePath: 'src/installation_upgrade.md' ## Installation on Kubernetes +### Obtaining an EDB subscription token + +!!! Important + You must obtain an EDB subscription token to install EDB Postgres for Kubernetes. Without a token, you will not be able to access the EDB private software repositories. + +Installing EDB Postgres for Kubernetes requires an EDB Repos 2.0 token to gain access to the EDB private software repositories. + +You can obtain the token by visiting your [EDB Account Profile](https://www.enterprisedb.com/accounts/profile). You will have to sign in if you are not already logged in. + +Your account profile page displays the token to use next to **Repos 2.0 Token** label. By default, the token is obscured, click the "Show" button (an eye icon) to reveal it. + +Your token entitles you to access one of two repositories: standard or enterprise. + +* Standard - Includes the operator and the EDB Postgres Extended operand images. +* Enterprise - Includes the operator and the EDB Postgres Advanced and EDB Postgres Extended images. + +Set the relevant value, determined by your subscription, as an environmental variable `EDB_SUBSCRIPTION_PLAN`. + +```shell +EDB_SUBSCRIPTION_PLAN=enterprise +``` + +then set the Repos 2.0 token to an environment variable `EDB_SUBSCRIPTION_TOKEN`. + +```shell +EDB_SUBSCRIPTION_TOKEN= +``` + +!!! Warning + The token is sensitive information. Please ensure that you don't expose it to unauthorized users. + + +You can now proceed with the installation. + ### Using the Helm Chart The operator can be installed using the provided [Helm chart](https://github.com/EnterpriseDB/edb-postgres-for-kubernetes-charts). @@ -23,12 +57,43 @@ The operator can be installed using the provided [Helm chart](https://github.com The operator can be installed like any other resource in Kubernetes, through a YAML manifest applied via `kubectl`. +#### Install the EDB pull secret + +Before installing EDB Postgres for Kubernetes, you need to create a pull secret for EDB software in the `postgresql-operator-system` namespace. + + +The pull secret needs to be saved in the namespace where the operator will reside. Create the `postgresql-operator-system` namespace using this command: + +```shell +kubectl create namespace postgresql-operator-system +``` + +To create the pull secret itself, run the following command: + +```shell +kubectl create secret -n postgresql-operator-system docker-registry edb-pull-secret \ + --docker-server=docker.enterprisedb.com \ + --docker-username=k8s_$EDB_SUBSCRIPTION_PLAN \ + --docker-password=$EDB_SUBSCRIPTION_TOKEN +``` + +#### Install the operator + +Now that the pull-secret has been added to the namespace, the operator can be installed like any other resource in Kubernetes, +through a YAML manifest applied via `kubectl`. + +There are two different manifests available depending on your subscription plan: + +- Standard: The [latest standard operator manifest](https://get.enterprisedb.io/pg4k/pg4k-standard-1.24.1.yaml). +- Enterprise: The [latest enterprise operator manifest](https://get.enterprisedb.io/pg4k/pg4k-enterprise-1.24.1.yaml). + +You can install the manifest for the latest version of the operator by running: You can install the [latest operator manifest](https://get.enterprisedb.io/cnp/postgresql-operator-1.24.1.yaml) for this minor release as follows: ```sh kubectl apply --server-side -f \ - https://get.enterprisedb.io/cnp/postgresql-operator-1.24.1.yaml + https://get.enterprisedb.io/pg4k/pg4k-$EDB_SUBSCRIPTION_PLAN-1.24.1.yaml ``` You can verify that with: @@ -72,9 +137,8 @@ for a more comprehensive example. In Kubernetes, the operator is by default installed in the `postgresql-operator-system` namespace as a Kubernetes `Deployment`. The name of this deployment depends on the installation method. -When installed through the manifest or the `cnp` plugin, it is called -`postgresql-operator-controller-manager` by default. When installed via Helm, the default name -is `postgresql-operator-cloudnative-pg`. +When installed through the manifest or the `cnp` plugin, by default, it is called `postgresql-operator-controller-manager`. +When installed via Helm, by default, the deployment name is derived from the helm release name, appended with the suffix `-edb-postgres-for-kubernetes` (e.g., `-edb-postgres-for-kubernetes`). !!! Note With Helm you can customize the name of the deployment via the diff --git a/product_docs/docs/postgres_for_kubernetes/1/license_keys.mdx b/product_docs/docs/postgres_for_kubernetes/1/license_keys.mdx index ef6c3994c98..f2c27e0ce31 100644 --- a/product_docs/docs/postgres_for_kubernetes/1/license_keys.mdx +++ b/product_docs/docs/postgres_for_kubernetes/1/license_keys.mdx @@ -3,11 +3,11 @@ title: 'License and License keys' originalFilePath: 'src/license_keys.md' --- -A license key is always required for the operator to work. +License keys are a legacy management mechanism for EDB Postgres for Kubernetes. You do not need a license key if you have installed using an EDB subscription token, and in this case, the licensing commands in this section can be ignored. -The only exception is when you run the operator with Community PostgreSQL: -in this case, if the license key is unset, a cluster will be started with the default -trial license - which automatically expires after 30 days. +If you are not using an EDB subscription token and installing from public repositories, then you will need a license key. The only exception is when you run the operator with Community PostgreSQL: in this case, if the license key is unset, a cluster will be started with the default trial license - which automatically expires after 30 days. This is not the recommended way of trialing EDB Postgres for Kubernetes - see the [installation guide](installation_upgrade) for the recommended options. + +The following documentation is only for users who have installed the operator using a license key. ## Company level license keys diff --git a/product_docs/docs/postgres_for_kubernetes/1/openshift.mdx b/product_docs/docs/postgres_for_kubernetes/1/openshift.mdx index 8d41b90bbae..85cc68ed538 100644 --- a/product_docs/docs/postgres_for_kubernetes/1/openshift.mdx +++ b/product_docs/docs/postgres_for_kubernetes/1/openshift.mdx @@ -227,6 +227,38 @@ If you are currently using `stable`, you have two options for moving off of it: ## Installation via web console +### Ensuring access to EDB private registry + +!!! Important + You'll need access to the private EDB repository where both the operator + and operand images are stored. Access requires a valid + [EDB subscription plan](https://www.enterprisedb.com/products/plans-comparison). + Please refer to ["Accessing EDB private image registries"](private_edb_registries) for further details. + +The OpenShift install will use pull secrets in order to access the +operand and operator images, which are held in a private repository. + +Once you have credentials to the private repository, you will need to create +a pull secret in the `openshift-operators` namespace, named: + +- `postgresql-operator-pull-secret`, for the EDB Postgres for Kubernetes operator images + +You can create each secret via the `oc create` command, as follows: + +``` sh +oc create secret docker-registry postgresql-operator-pull-secret \ + -n openshift-operators --docker-server=docker.enterprisedb.com \ + --docker-username="@@REPOSITORY@@" \ + --docker-password="@@TOKEN@@" +``` + +where: + +- `@@REPOSITORY@@` is the name of the repository, as explained in ["Which repository to +choose?"](private_edb_registries#which-repository-to-choose) +- `@@TOKEN@@` is the repository token for your EDB account, as explained in +["How to retrieve the token"](private_edb_registries#how-to-retrieve-the-token) + The EDB Postgres for Kubernetes operator can be found in the Red Hat OperatorHub directly from your OpenShift dashboard. diff --git a/product_docs/docs/postgres_for_kubernetes/1/private_edb_registry.mdx b/product_docs/docs/postgres_for_kubernetes/1/private_edb_registries.mdx similarity index 96% rename from product_docs/docs/postgres_for_kubernetes/1/private_edb_registry.mdx rename to product_docs/docs/postgres_for_kubernetes/1/private_edb_registries.mdx index 950c836ac0f..9a31994c998 100644 --- a/product_docs/docs/postgres_for_kubernetes/1/private_edb_registry.mdx +++ b/product_docs/docs/postgres_for_kubernetes/1/private_edb_registries.mdx @@ -17,7 +17,7 @@ operands, are kept in private container image registries under !!! Note When installing the operator and operands from the private registry, the - [license keys](./license_keys.md) are not needed. + [license keys](license_keys) are not needed. ## Which repository to choose? @@ -84,8 +84,7 @@ images available from the same private registries: `ghcr.io/enterprisedb/postgresql`. These images follow the requirements and the conventions described in the -["Container image requirements"](/postgres_for_kubernetes/latest/container_images/) -page of the EDB Postgres for Kubernetes documentation. +["Container image requirements"](container_images). In the table below you can find the image name prefix for each Postgres distribution: @@ -146,7 +145,7 @@ and the token is the *password*. The same credentials can be used for kubernetes to access the registry by setting up a [`kubernetes.io/dockerconfigjson` pull secret](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types). -As mentioned in the [installation document](./installation_upgrade.md), there +As mentioned in the [installation document](installation_upgrade), there are several different ways to install the operator. If you are going to install using images from the private registry, you will diff --git a/product_docs/docs/postgres_for_kubernetes/1/quickstart.mdx b/product_docs/docs/postgres_for_kubernetes/1/quickstart.mdx index aedcc448496..4a09ca7e47b 100644 --- a/product_docs/docs/postgres_for_kubernetes/1/quickstart.mdx +++ b/product_docs/docs/postgres_for_kubernetes/1/quickstart.mdx @@ -33,8 +33,7 @@ cluster on your local Kubernetes/Openshift installation and experiment with it. ## Part 1 - Setup the local Kubernetes/Openshift Local playground -The first part is about installing Minikube, Kind, or OpenShift Local. Please spend some time -reading about the systems and decide which one to proceed with. +The first part is about installing Minikube, Kind, or OpenShift Local. Please spend some time reading about the systems and decide which one to proceed with. After setting up one of them, please proceed with part 2. We also provide instructions for setting up monitoring with Prometheus and @@ -107,6 +106,8 @@ kind create cluster --name pg Now that you have a Kubernetes installation up and running on your laptop, you can proceed with EDB Postgres for Kubernetes installation. +Unless specified in a cluster configuration file, EDB Postgres for Kubernetes will currently deploy Community Postgresql operands by default. See the section [Deploying EDB Postgres servers](#deploying-edb-postgres-servers) for more information. + Refer to the ["Installation"](installation_upgrade.md) section and then proceed with the deployment of a PostgreSQL cluster. @@ -131,18 +132,11 @@ spec: size: 1Gi ``` -!!! Note "Installing other operands" - EDB Postgres for Kubernetes supports not just PostgreSQL, but EDB Postgres - Extended (PGE) and EDB Postgres Advanced (EPAS). - The images for those operands are kept in private registries. Please refer - to the [private registry](private_edb_registry.md) document for instructions - on deploying clusters using PGE or EPAS as operands. - !!! Note "There's more" For more detailed information about the available options, please refer to the ["API Reference" section](pg4k.v1.md). -In order to create the 3-node PostgreSQL cluster, you need to run the following command: +In order to create the 3-node Community PostgreSQL cluster, you need to run the following command: ```sh kubectl apply -f cluster-example.yaml @@ -169,10 +163,25 @@ kubectl get pods -l k8s.enterprisedb.io/cluster= have seen or used `postgresql`. This label is being deprecated, and will be dropped in the future. Please use `k8s.enterprisedb.io/cluster`. +### Deploying EDB Postgres servers + By default, the operator will install the latest available minor version -of the latest major version of PostgreSQL when the operator was released. +of the latest major version of Community PostgreSQL when the operator was released. You can override this by setting the `imageName` key in the `spec` section of -the `Cluster` definition. For example, to install PostgreSQL 13.6: +the `Cluster` definition. For example, to install EDB Postgres Advanced 16.4 you can use: + +```yaml +apiVersion: postgresql.k8s.enterprisedb.io/v1 +kind: Cluster +metadata: + # [...] +spec: + # [...] + imageName: docker.enterprisedb.com/k8s_enterprise/edb-postgres-advanced:16 + # [...] +``` + +And to install EDB Postgres Extended 16 you can use: ```yaml apiVersion: postgresql.k8s.enterprisedb.io/v1 @@ -181,7 +190,7 @@ metadata: # [...] spec: # [...] - imageName: quay.io/enterprisedb/postgresql:13.6 + imageName: docker.enterprisedb.com/k8s_enterprise/edb-postgres-extended:16 #[...] ``` From 92bb9dc0760fdfba038dbc3f8753938f05d2ad10 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Mon, 4 Nov 2024 15:11:44 +0000 Subject: [PATCH 2/8] Additional backport of missing release note Signed-off-by: Dj Walker-Morgan --- .../1/rel_notes/1_22_6_rel_notes.mdx | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/product_docs/docs/postgres_for_kubernetes/1/rel_notes/1_22_6_rel_notes.mdx b/product_docs/docs/postgres_for_kubernetes/1/rel_notes/1_22_6_rel_notes.mdx index f9ae43f2b07..04a105214bb 100644 --- a/product_docs/docs/postgres_for_kubernetes/1/rel_notes/1_22_6_rel_notes.mdx +++ b/product_docs/docs/postgres_for_kubernetes/1/rel_notes/1_22_6_rel_notes.mdx @@ -7,6 +7,18 @@ Released: 26 Aug 2024 This release of EDB Postgres for Kubernetes includes the following: -| Type | Description | -| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| Upstream merge | Merged with community CloudNativePG 1.22.6. See the community [Release Notes](https://cloudnative-pg.io/documentation/1.22/release_notes/v1.22/). | +### Features + +* **Configuration of Pod Disruption Budgets (PDB)**: Introduced the `.spec.enablePDB` field to disable PDBs on the primary instance, allowing proper eviction of the pod during maintenance operations. This is particularly useful for single-instance deployments. This feature is intended to replace the node maintenance window feature. + +### Enhancements + +* **cnp plugin updates**: + * Enhance the install generate command by adding a --control-plane option, allowing deployment of the operator on control-plane nodes by setting node affinity and tolerations (\#5271). + * Enhance the destroy command to delete also any job related to the target instance (\#5298). + +### Fixes + +* Synchronous replication self-healing checks now exclude terminated pods, focusing only on active and functional pods (\#5210). +* The instance manager will now terminate all existing operator-related replication connections following a role change in a replica cluster (\#5209). +* Allow setting smartShutdownTimeout to zero, enabling immediate fast shutdown and bypassing the smart shutdown process when required (\#5347). \ No newline at end of file From 9113bc36cec04600fc12a0e996f5a2f352428843 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Mon, 4 Nov 2024 15:49:09 +0000 Subject: [PATCH 3/8] migrated fix Signed-off-by: Dj Walker-Morgan --- .../docs/postgres_for_kubernetes/1/installation_upgrade.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/product_docs/docs/postgres_for_kubernetes/1/installation_upgrade.mdx b/product_docs/docs/postgres_for_kubernetes/1/installation_upgrade.mdx index eeed1a342c5..41bbab987d7 100644 --- a/product_docs/docs/postgres_for_kubernetes/1/installation_upgrade.mdx +++ b/product_docs/docs/postgres_for_kubernetes/1/installation_upgrade.mdx @@ -28,9 +28,9 @@ Your account profile page displays the token to use next to **Repos 2.0 Token** Your token entitles you to access one of two repositories: standard or enterprise. * Standard - Includes the operator and the EDB Postgres Extended operand images. -* Enterprise - Includes the operator and the EDB Postgres Advanced and EDB Postgres Extended images. +* Enterprise - Includes the operator and the EDB Postgres Advanced and EDB Postgres Extended operand images. -Set the relevant value, determined by your subscription, as an environmental variable `EDB_SUBSCRIPTION_PLAN`. +Set the relevant value, determined by your subscription, as an environment variable `EDB_SUBSCRIPTION_PLAN`. ```shell EDB_SUBSCRIPTION_PLAN=enterprise From 1da62ceb21186f18548d7471fb1e231ff716407f Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Mon, 4 Nov 2024 16:39:16 +0000 Subject: [PATCH 4/8] Fix ups and fill out plugin Signed-off-by: Dj Walker-Morgan --- .../1/installation_upgrade.mdx | 5 +- .../1/kubectl-plugin.mdx | 167 +++++++++++++++--- 2 files changed, 142 insertions(+), 30 deletions(-) diff --git a/product_docs/docs/postgres_for_kubernetes/1/installation_upgrade.mdx b/product_docs/docs/postgres_for_kubernetes/1/installation_upgrade.mdx index 41bbab987d7..3becbdeae40 100644 --- a/product_docs/docs/postgres_for_kubernetes/1/installation_upgrade.mdx +++ b/product_docs/docs/postgres_for_kubernetes/1/installation_upgrade.mdx @@ -27,8 +27,8 @@ Your account profile page displays the token to use next to **Repos 2.0 Token** Your token entitles you to access one of two repositories: standard or enterprise. -* Standard - Includes the operator and the EDB Postgres Extended operand images. -* Enterprise - Includes the operator and the EDB Postgres Advanced and EDB Postgres Extended operand images. +* `standard` - Includes the operator and the EDB Postgres Extended operand images. +* `enterprise` - Includes the operator and the EDB Postgres Advanced and EDB Postgres Extended operand images. Set the relevant value, determined by your subscription, as an environment variable `EDB_SUBSCRIPTION_PLAN`. @@ -45,7 +45,6 @@ EDB_SUBSCRIPTION_TOKEN= !!! Warning The token is sensitive information. Please ensure that you don't expose it to unauthorized users. - You can now proceed with the installation. ### Using the Helm Chart diff --git a/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx b/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx index 47b0c615ef8..35ad9c19403 100644 --- a/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx +++ b/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx @@ -34,38 +34,37 @@ them in your systems. #### Debian packages -For example, let's install the 1.22.2 release of the plugin, for an Intel based +For example, let's install the 1.24.1 release of the plugin, for an Intel based 64 bit server. First, we download the right `.deb` file. ``` sh -wget https://github.com/EnterpriseDB/kubectl-cnp/releases/download/v1.22.1/kubectl-cnp_1.22.2_linux_x86_64.deb +$ wget https://github.com/EnterpriseDB/kubectl-cnp/releases/download/v1.24.1/kubectl-cnp_1.24.1_linux_x86_64.deb --output-document kube-plugin.deb ``` Then, install from the local file using `dpkg`: ``` sh -dpkg -i kubectl-cnp_1.22.2_linux_x86_64.deb -(Reading database ... 702524 files and directories currently installed.) -Preparing to unpack kubectl-cnp_1.22.2_linux_x86_64.deb ... -Unpacking cnp (1.22.2) over (1.22.2) ... -Setting up cnp (1.22.2) .. +$ dpkg -i kube-plugin.deb +(Reading database ... 6688 files and directories currently installed.) +Preparing to unpack kube-plugin.deb ... +Unpacking kubectl-cnp (1.24.1) ... +Setting up kubectl-cnp (1.24.1) ... ``` #### RPM packages -As in the example for `.deb` packages, let's install the 1.22.2 release for an +As in the example for `.deb` packages, let's install the 1.24.1 release for an Intel 64 bit machine. Note the `--output` flag to provide a file name. ``` sh -curl -L https://github.com/EnterpriseDB/kubectl-cnp/releases/download/v1.22.2/kubectl-cnp_1.22.2_linux_x86_64.rpm \ - --output kube-plugin.rpm +curl -L https://github.com/EnterpriseDB/kubectl-cnp/releases/download/v1.24.1/kubectl-cnp_1.24.1_linux_x86_64.rpm --output kube-plugin.rpm ``` Then install with `yum`, and you're ready to use: ``` sh -yum --disablerepo=* localinstall kube-plugin.rpm -yum --disablerepo=* localinstall kube-plugin.rpm +$ yum --disablerepo=* localinstall kube-plugin.rpm +yum --disablerepo=* localinstall kube-plugin.rpm __OUTPUT__ Failed to set locale, defaulting to C.UTF-8 Dependencies resolved. @@ -73,14 +72,14 @@ Dependencies resolved. Package Architecture Version Repository Size ==================================================================================================== Installing: - cnp x86_64 1.22.2-1 @commandline 17 M + cnp x86_64 1.24.1-1 @commandline 20 M Transaction Summary ==================================================================================================== Install 1 Package -Total size: 14 M -Installed size: 43 M +Total size: 20 M +Installed size: 78 M Is this ok [y/N]: y ``` @@ -90,19 +89,19 @@ EDB Postgres for Kubernetes Plugin is currently built for the following operating system and architectures: * Linux - * amd64 - * arm 5/6/7 - * arm64 - * s390x - * ppc64le + * amd64 + * arm 5/6/7 + * arm64 + * s390x + * ppc64le * macOS - * amd64 - * arm64 + * amd64 + * arm64 * Windows - * 386 - * amd64 - * arm 5/6/7 - * arm64 + * 386 + * amd64 + * arm 5/6/7 + * arm64 ### Configuring auto-completion @@ -461,7 +460,7 @@ default time-stamped filename is created for the zip file. !!! Note The report plugin obeys `kubectl` conventions, and will look for objects constrained - by namespace. The CNP Operator will generally not be installed in the same + by namespace. The PG4K Operator will generally not be installed in the same namespace as the clusters. E.g. the default installation namespace is postgresql-operator-system @@ -1389,3 +1388,117 @@ The `cnp` plugin can be easily integrated in [K9s](https://k9scli.io/), a popular terminal-based UI to interact with Kubernetes clusters. See [`k9s/plugins.yml`](../samples/k9s/plugins.yml) for details. + +## Permissions required by the plugin + +The plugin requires a set of Kubernetes permissions that depends on the command +to execute. These permissions may affect resources and sub-resources like Pods, +PDBs, PVCs, and enable actions like `get`, `delete`, `patch`. The following +table contains the full details: + +| Command | Resource Permissions | +|:----------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| backup | clusters: get
backups: create | +| certificate | clusters: get
secrets: get,create | +| destroy | pods: get,delete
jobs: delete,list
PVCs: list,delete,update | +| fencing | clusters: get,patch
pods: get | +| fio | PVCs: create
configmaps: create
deployment: create | +| hibernate | clusters: get,patch,delete
pods: list,get,delete
pods/exec: create
jobs: list
PVCs: get,list,update,patch,delete | +| install | none | +| logs | clusters: get
pods: list
pods/log: get | +| maintenance | clusters: get,patch,list
| +| pgadmin4 | clusters: get
configmaps: create
deployments: create
services: create
secrets: create | +| pgbench | clusters: get
jobs: create
| +| promote | clusters: get
clusters/status: patch
pods: get | +| psql | pods: get,list
pods/exec: create | +| publication | clusters: get
pods: get,list
pods/exec: create | +| reload | clusters: get,patch | +| report cluster | clusters: get
pods: list
pods/log: get
jobs: list
events: list
PVCs: list | +| report operator | configmaps: get
deployments: get
events: list
pods: list
pods/log: get
secrets: get
services: get
mutatingwebhookconfigurations: list(1)
validatingwebhookconfigurations: list(1)
If OLM is present on the K8s cluster, also:
clusterserviceversions: list
installplans: list
subscriptions: list | +| restart | clusters: get,patch
pods: get,delete | +| status | clusters: get
pods: list
pods/exec: create
pods/proxy: create
PDBs: list | +| subscription | clusters: get
pods: get,list
pods/exec: create | +| version | none | + +(1): The permissions are cluster scope ClusterRole resources. + +Additionally, assigning the `list` permission on the `clusters` will enable +autocompletion for multiple commands. + +### Role examples + +It is possible to create roles with restricted permissions. +The following example creates a role that only has access to the cluster logs: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cnp-log +rules: + - verbs: + - get + apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - clusters + - verbs: + - list + apiGroups: + - '' + resources: + - pods + - verbs: + - get + apiGroups: + - '' + resources: + - pods/log +``` + +The next example shows a role with the minimal permissions required to get +the cluster status using the plugin's `status` command: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cnp-status +rules: + - verbs: + - get + apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - clusters + - verbs: + - list + apiGroups: + - '' + resources: + - pods + - verbs: + - create + apiGroups: + - '' + resources: + - pods/exec + - verbs: + - create + apiGroups: + - '' + resources: + - pods/proxy + - verbs: + - list + apiGroups: + - policy + resources: + - poddisruptionbudgets +``` + +!!! Important + Keeping the verbs restricted per `resources` and per `apiGroups` helps to + prevent inadvertently granting more than intended permissions. + \ No newline at end of file From 1eeef46529bc85212deba971e4a1c1ef34f111af Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Mon, 4 Nov 2024 16:44:51 +0000 Subject: [PATCH 5/8] More fixups Signed-off-by: Dj Walker-Morgan --- product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx b/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx index 35ad9c19403..d292813ba76 100644 --- a/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx +++ b/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx @@ -1,6 +1,7 @@ --- title: 'EDB Postgres for Kubernetes Plugin' originalFilePath: 'src/kubectl-plugin.md' +deepToC: true --- EDB Postgres for Kubernetes provides a plugin for `kubectl` to manage a cluster in Kubernetes. @@ -64,7 +65,6 @@ Then install with `yum`, and you're ready to use: ``` sh $ yum --disablerepo=* localinstall kube-plugin.rpm -yum --disablerepo=* localinstall kube-plugin.rpm __OUTPUT__ Failed to set locale, defaulting to C.UTF-8 Dependencies resolved. From a3e61308a8e2b2cf3854edc37ead0aedbabdccbb Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Mon, 4 Nov 2024 17:15:41 +0000 Subject: [PATCH 6/8] Removed in-code prompt Signed-off-by: Dj Walker-Morgan --- .../docs/postgres_for_kubernetes/1/kubectl-plugin.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx b/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx index d292813ba76..3e898cdea13 100644 --- a/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx +++ b/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx @@ -39,7 +39,7 @@ For example, let's install the 1.24.1 release of the plugin, for an Intel based 64 bit server. First, we download the right `.deb` file. ``` sh -$ wget https://github.com/EnterpriseDB/kubectl-cnp/releases/download/v1.24.1/kubectl-cnp_1.24.1_linux_x86_64.deb --output-document kube-plugin.deb +wget https://github.com/EnterpriseDB/kubectl-cnp/releases/download/v1.24.1/kubectl-cnp_1.24.1_linux_x86_64.deb --output-document kube-plugin.deb ``` Then, install from the local file using `dpkg`: @@ -64,7 +64,7 @@ curl -L https://github.com/EnterpriseDB/kubectl-cnp/releases/download/v1.24.1/ku Then install with `yum`, and you're ready to use: ``` sh -$ yum --disablerepo=* localinstall kube-plugin.rpm +yum --disablerepo=* localinstall kube-plugin.rpm __OUTPUT__ Failed to set locale, defaulting to C.UTF-8 Dependencies resolved. From 6dd876ea7b88ded08f993349d1207f7e8f435c27 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Mon, 4 Nov 2024 18:06:40 +0000 Subject: [PATCH 7/8] DEPROMPTED more Signed-off-by: Dj Walker-Morgan --- .../docs/postgres_for_kubernetes/1/kubectl-plugin.mdx | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx b/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx index 3e898cdea13..d0bd8681137 100644 --- a/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx +++ b/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx @@ -45,7 +45,7 @@ wget https://github.com/EnterpriseDB/kubectl-cnp/releases/download/v1.24.1/kubec Then, install from the local file using `dpkg`: ``` sh -$ dpkg -i kube-plugin.deb +dpkg -i kube-plugin.deb (Reading database ... 6688 files and directories currently installed.) Preparing to unpack kube-plugin.deb ... Unpacking kubectl-cnp (1.24.1) ... @@ -797,7 +797,7 @@ It can be used in combination with `kubectl cnp logs cluster`, as shown in the following example: ``` sh -$ kubectl cnp logs cluster cluster-example | kubectl cnp logs pretty +kubectl cnp logs cluster cluster-example | kubectl cnp logs pretty 2024-10-15T17:35:00.336 INFO cluster-example-1 instance-manager Starting EDB Postgres for Kubernetes Instance Manager 2024-10-15T17:35:00.336 INFO cluster-example-1 instance-manager Checking for free disk space for WALs before starting PostgreSQL 2024-10-15T17:35:00.347 INFO cluster-example-1 instance-manager starting tablespace manager @@ -810,7 +810,7 @@ cnp logs in JSON format, such as `stern`, or `kubectl logs`, as in the following example: ``` sh -$ kubectl logs cluster-example-1 | kubectl cnp logs pretty +kubectl logs cluster-example-1 | kubectl cnp logs pretty 2024-10-15T17:35:00.336 INFO cluster-example-1 instance-manager Starting EDB Postgres for Kubernetes Instance Manager 2024-10-15T17:35:00.336 INFO cluster-example-1 instance-manager Checking for free disk space for WALs before starting PostgreSQL 2024-10-15T17:35:00.347 INFO cluster-example-1 instance-manager starting tablespace manager @@ -824,7 +824,7 @@ level. Here's an example: ``` sh -$ kubectl cnp logs cluster cluster-example | kubectl cnp logs pretty --pods cluster-example-1 --loggers postgres --log-level info +kubectl cnp logs cluster cluster-example | kubectl cnp logs pretty --pods cluster-example-1 --loggers postgres --log-level info 2024-10-15T17:35:00.509 INFO cluster-example-1 postgres 2024-10-15 17:35:00.509 UTC [29] LOG: redirecting log output to logging collector process 2024-10-15T17:35:00.509 INFO cluster-example-1 postgres 2024-10-15 17:35:00.509 UTC [29] HINT: Future log output will appear in directory "/controller/log"... 2024-10-15T17:35:00.510 INFO cluster-example-1 postgres 2024-10-15 17:35:00.509 UTC [29] LOG: ending log output to stderr @@ -841,7 +841,7 @@ each sorted group. The size of the grouping can be configured via the `--sorting-group-size` flag (default: 1000), as illustrated in the following example: ``` sh -$ kubectl cnp logs cluster cluster-example | kubectl cnp logs pretty --sorting-group-size=3 +kubectl cnp logs cluster cluster-example | kubectl cnp logs pretty --sorting-group-size=3 2024-10-15T17:35:20.426 INFO cluster-example-2 instance-manager Starting EDB Postgres for Kubernetes Instance Manager 2024-10-15T17:35:20.426 INFO cluster-example-2 instance-manager Checking for free disk space for WALs before starting PostgreSQL 2024-10-15T17:35:20.438 INFO cluster-example-2 instance-manager starting tablespace manager From 65940bcbb88b45ae6e58e23adfb80bffb5f4a5d2 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Mon, 4 Nov 2024 18:10:43 +0000 Subject: [PATCH 8/8] Root priv requirement in install noted Signed-off-by: Dj Walker-Morgan --- .../docs/postgres_for_kubernetes/1/kubectl-plugin.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx b/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx index d0bd8681137..bbf802d0df1 100644 --- a/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx +++ b/product_docs/docs/postgres_for_kubernetes/1/kubectl-plugin.mdx @@ -42,10 +42,10 @@ For example, let's install the 1.24.1 release of the plugin, for an Intel based wget https://github.com/EnterpriseDB/kubectl-cnp/releases/download/v1.24.1/kubectl-cnp_1.24.1_linux_x86_64.deb --output-document kube-plugin.deb ``` -Then, install from the local file using `dpkg`: +Then, with super user privileges, install from the local file using `dpkg`: ``` sh -dpkg -i kube-plugin.deb +sudo dpkg -i kube-plugin.deb (Reading database ... 6688 files and directories currently installed.) Preparing to unpack kube-plugin.deb ... Unpacking kubectl-cnp (1.24.1) ... @@ -61,10 +61,10 @@ Intel 64 bit machine. Note the `--output` flag to provide a file name. curl -L https://github.com/EnterpriseDB/kubectl-cnp/releases/download/v1.24.1/kubectl-cnp_1.24.1_linux_x86_64.rpm --output kube-plugin.rpm ``` -Then install with `yum`, and you're ready to use: +Then, with super user privileges, install with `yum`, and you're ready to use: ``` sh -yum --disablerepo=* localinstall kube-plugin.rpm +sudo yum --disablerepo=* localinstall kube-plugin.rpm __OUTPUT__ Failed to set locale, defaulting to C.UTF-8 Dependencies resolved.