Vulnerability assessment tool database

The vulnerability assessment tool database is a postgresql database used to store a CVEs, constructs, ...

Prerequisites

Kubernetes 1.9 with Beta APIs enabled
Persistent volume provisionner support in underlying infrastructure

Introduction

This chart bootstraps a HA Postgresql cluster deployment on a Kubernetes cluster comprising of a:

Postgres master statefulset
Postgres slave statefulset
Pgpool statefulset

Installing the chart

To install the chart with the release name release:

$ helm install my-release .

The command deploys the database subchart of the vulnerability-assessment-tool-core chart v0.1.1 chart on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.

Uninstalling the chart

To uninstall/delete the release deployment:

$ helm delete my-release

The command removes all the Kubernetes components associated with the chart and deletes the release.

Configuration

Initialisation scripts can be add in the files/ folder and must be executable inside a shell since it's encapsulated in one. The following table lists the configurable parameters of the database chart and their default values. As values in this chart are quite highly nested, this table is split into two parts for easy readability

.Values.postgres

Parameter	Description	Default
metrics.enabled	Enables prometheus exporter	`true`
debug	Postgres logging level (see postgres docs	`WARNING`
image.initContainer.pullPolicy	To avoid cluster going out of sync `Always` is recommended if the image is subject to constant changes	`IfNotPresent`
image.initContainer.name	Postgresql init container image name (used for pg_basebackup)	`postgres`
image.initContainer.tag	Image tag for desired initcontainer image version	`11.5-alpine`
image.initContainer.securityContext	Postgresql init container securityContext. This container requires root execution because it needs to fix permissions on the PVC (using chown on the set `pgdata` directory)	runAsUser: `0` privileged: `true`
image.mainContainer.pullPolicy	As Postgres images are stable, `IfNotPresent` is the recommended pullPolicy in this case	`IfNotPresent`
image.mainContainer.name	Postgres main container (actual database) image name	`postgres`
image.mainContainer.tag	The vulnerability database functions with any postgres 11.x version (with version 12.x to be tested soon)	`11.5`
image.mainContainer.securityContext	Postgresql's default container UID is 999 and requires reading to the root file system to properly operate	runAsUser: `999` runAsGroup: `999` privileged:`False` readOnlyRootFilesystem:`False`
image.exporterContainer.pullPolicy	Since this image is maintained by a small group of individuals, image drift is possible, `Always` is recommended in production	`IfNotPresent`
image.exporterContainer.name	See source code	`wrouesnel/postgres_exporter`
image.exporterContainer.tag	Latest image tag as of this chart release	`v0.5.1`
master.updateStrategy		`RollingUpdate`
master.terminationGracePeriodSeconds	Sets the amount of time k8s allows for the database to gracefully shutdown, this window allows for Postgresql to launch `pg_ctl stop fast`	`10`
master.livenessProbe.enabled	readinessProbe configuration to be tuned to latency and performance of the cluster at hand	enabled: `true` initialDelaySeconds: `60` periodSeconds: `5` timeoutSeconds: `3` failureThreshold: `20`
master.readinessProbe.enabled	readinessProbe configuration to be tuned to latency and performance of the cluster at hand	enabled: `true` initialDelaySeconds: `5` periodSeconds: `5` timeoutSeconds: `3` failureThreshold: `3`
master.pvcMountPath	Set with $PG_DATA	`/var/lib/postgresql/data`
master.accessModes	PVC accessMode, if you want fault tolerance for the master statefulset, it is a possibility to set an nfs with `ReadWriteMany` in addition with failover	`ReadWriteOnce`
master.requests.storage	Storage size requests, 10Gi is the minimum requirement	`10Gi`
slave.backoffDuration	delay between probe attempts to wait for master node	`10`
slave.updateStrategy		`RollingUpdate`
slave.terminationGracePeriodSeconds	Sets the amount of time k8s allows for the database to gracefully shutdown, this window allows for Postgresql to launch `pg_ctl stop fast	`10`
slave.livenessProbe.enabled	readinessProbe configuration to be tuned to latency and performance of the cluster at hand	enabled: `true` initialDelaySeconds: `60` periodSeconds: `5` timeoutSeconds: `3` failureThreshold: `20`
slave.readinessProbe.enabled	readinessProbe configuration to be tuned to latency and performance of the cluster at hand	enabled: `true` initialDelaySeconds: `50` periodSeconds: `5` timeoutSeconds: `3` failureThreshold: `3`
slave.pvcMountPath	Set with $PG_DATA	`/var/lib/postgresql/data`
slave.accessModes	`ReadWriteOnce` is recommended here for the low cost and the fact that fault tolerance comes from the replication	`ReadWriteOnce`
slave.requests.storage	recommended to be ~= Master storage requests due to streaming replication	`10Gi`

Note: The postgresql init script can be customized here

.Values.pgpool

Parameter	Description	Default
name	Used to determine prefix for pgpool objects in kubernetes	`pgpool`
debug	Sets pgpool log level to DEBUG if `true` (see pgpool docs)	`False`
replicas	The optimal number of instances should be around `master replicas + slave replicas` (see benchmark)	`3`
updateStrategy		`RollingUpdate`
loadBalanceMode	Used to set distributing select queries per node. See pgpool lb docs	`true`
failOverOnBackendError		`False`
numInitChildren	Number of processes that pgpool preforks. This parameter can only be modified on launch so its recommended to anticipate for high usage	`100`
maxPool	Maximum number of cached open connection pgpool has to the PostgreSQL instance	`10`
clientIdleLimit	Kills inactif client after `clientIdleLimit` seconds	`920`
connectionLifeTime	Sets the lifespan of a cached connection in seconds. This is set to avoid the default `0` which never kills/renews connections	`500`
terminationGracePeriodSeconds	Allows for pgpool to gracefully terminate its connections	`15`
useWatchDog	Sets the `use_watchdog` configuration (see pgpool watchdog docs)	`true`
watchDog.interval		`15`
healthCheck	Postgresql connection health checks. The default timeout value makes sure that during initialisation, the pgpool statefulset doesn't go into a CrashLoop	timeout: `0` period: `30` maxRetries: `5` retryDelay: `5`
image.pullPolicy	Image maintained by company so drift shouldn't be an issue	`IfNotPresent`
image.name		`crunchydata/crunchy-pgpool`
image.tag		`centos7-11.4-2.4.1`
image.securityContext	Shares the postgres UID	runAsUser: `999` runAsGroup: `999` privileged: `False` readOnlyRootFilesystem: `False`
image.readinessProbe		enabled: `true` initialDelaySeconds: `35` periodSeconds: `10` timeoutSeconds: `10` failureThreshold: `3`
image.livenessProbe		enabled: `true` initialDelaySeconds: `35` periodSeconds: `30` timeoutSeconds: `10` failureThreshold: `3`

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

$ helm install --name my-release \
  --set postgres.image.mainContainer.pullPolicy=Always .

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

$ helm install --name my-release -f values.yaml .

Production configuration

This chart includes a values_production.yaml file where you can find some parameters oriented to production configuration in comparison to the regular values.yaml.

$ helm install --name my-release -f values_adv.yaml .

These values can be configured as follows:

Parameter	Description	Default
postgres.master.resources	Corner stone of infrastructure so high performance is required	requests: memory:`15Gi` cpu: `15` limit: memory: `22Gi` cpu: `22`
postgres.slave.resources	As these are replicas their demands are lower than that of the master db	requests: memory:`8Gi` cpu: `8` limit: memory: `15Gi` cpu: `15`
pgpool.image.resources	Pgpool does not consume a whole lot of resources	requests: memory:`1Gi` cpu: `1000m` limit: memory: `2Gi` cpu: `2000m`
postgres.masterAntiAffinity	Makes pods (from master statefulset and slave) avoid sharing nodes with master. If set to `{}` disables this option	soft: `true` weight: `100`
postgres.slaveAntiAffinity	Makes pods (from master statefulset and slave) avoid sharing nodes with slave. If set to `{}` disables this option	soft: `true` weight: `50`

Disabling metrics:

- postgres.metrics.enabled: False
+ postgres.metrics.enabled: true

Disabling probres:

- postgres.master.livenessProbe.enabled: true
- postgres.master.readinessProbe.enabled: true
+ postgres.master.livenessProbe.enabled: False
+ postgres.master.readinessProbe.enabled: False

ichbinfrog/postgres-helm-chart