Going step by step ensures that you can focus on understanding the \u2018why\u2019 while learning the \u2018how\u2019.<\/p>\n
Here is what you are going to learn in this comprehensive PostgreSQL deployment guide.<\/p>\n
PostgreSQL Cluster Kubernetes Manifests<\/strong><\/h2>\nAll the Kubernetes YAML manifests used in this guide are hosted on Github. Clone the repository for reference and implementation.<\/p>\n
git clone https:\/\/github.com\/scriptcamp\/kubernetes-postgresql.git<\/code><\/pre>\nWe have explained all the manifests required for PostgreSQL on Kubernetes. If you have trouble copying the manifests from the article, please clone and refer to the manifests directly.<\/p>\n
We have categorized the manifest into three folders named client<\/strong>, pgpool<\/strong> and postgresql<\/strong> as shown below.<\/p>\n\u251c\u2500\u2500 client\n\u2502 \u251c\u2500\u2500 client-pod.yaml\n\u2502 \u2514\u2500\u2500 psql-client.yaml\n\u251c\u2500\u2500 pgpool\n\u2502 \u251c\u2500\u2500 nginx.yaml\n\u2502 \u251c\u2500\u2500 pgpool-deployment.yaml\n\u2502 \u251c\u2500\u2500 pgpool-secret.yaml\n\u2502 \u251c\u2500\u2500 pgpool-svc-nodeport.yaml\n\u2502 \u2514\u2500\u2500 pgpool-svc.yaml\n\u2514\u2500\u2500 postgresql\n \u251c\u2500\u2500 postgres-configmap.yaml\n \u251c\u2500\u2500 postgres-headless-svc.yaml\n \u251c\u2500\u2500 postgres-secrets.yaml\n \u2514\u2500\u2500 postgres-statefulset.yaml<\/code><\/pre>\nIf you wish to deploy the components in one go, cd into each directory and execute the following. Start with postgresql<\/strong> directory.<\/p>\nkubectl apply -f .<\/code><\/pre>\nBitnami PostgreSQL Docker Image<\/strong><\/h2>\nThis tutorial has used Bitnami docker images, this has been done intentionally. There are certain advantages you can get as a beginner by using a Bitnami image.<\/p>\n
\n- Bitnami images are shipped with necessary components pre-installed. This lets us maintain our focus can understanding and becoming familiar with Kubernetes side of things in depth.<\/li>\n
- Bitnami images are well tested and validated before being released. This helps us save time and overcome any problems we may face with newer versions or patches.<\/li>\n
- Bitnami images are very well documented, you’ll find a satisfactory explaination of each and every environment variable being used by the bitnami image. So a natural fit for beginners.<\/li>\n<\/ol>\n
Above all, as a beginner – we should focus on understanding kubernetes components and avoid getting off our goal due to installing dozens of packages, finding documentation, etc.<\/p>\n
Bitnami does just that for us.<\/p>\n
High Level Architecture<\/h2>\n![\"PostgreSQL](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-18-37.png\")
<\/figure>\nCreate a Namespace<\/h2>\n
To deploy the PostgreSQL cluster, we will create a dedicated namespace named database.<\/p>\n
kubectl create namespace database<\/code><\/pre>\nThe manifest files do not have the namespace added to them. So we will add the namespace while deploying each component. If you don’t specify the namespace, it gets deployed in the default namespace.<\/p>\n
Creating Postgres Server ConfigMaps<\/strong><\/h2>\nA ConfigMaps in Kubernetes lets us mount files on containers without the need to make changes to the Dockerfile or rebuilding the container image.<\/p>\n
This feature is extremely helpful in cases where configurations have to be modified or created through files.<\/p>\n
Postgres requires a script (pre-stop.sh<\/code>) to be run whenever it is about to be stopped. We will mount this script into the pod using config maps.<\/p>\nSave the following manifest as postgres-configmap.yaml<\/code><\/p>\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: postgres-configmap\ndata:\n pre-stop.sh: |-\n #!\/bin\/bash\n set -o errexit\n set -o pipefail\n set -o nounset\n\n # Debug section\n exec 3>&1\n exec 4>&2\n\n # Load Libraries\n . \/opt\/bitnami\/scripts\/liblog.sh\n . \/opt\/bitnami\/scripts\/libpostgresql.sh\n . \/opt\/bitnami\/scripts\/librepmgr.sh\n\n # Auxiliary functions\n is_new_primary_ready() {\n return_value=1\n currenty_primary_node=\"$(repmgr_get_primary_node)\"\n currenty_primary_host=\"$(echo $currenty_primary_node | awk '{print $1}')\"\n\n info \"$currenty_primary_host != $REPMGR_NODE_NETWORK_NAME\"\n if [[ $(echo $currenty_primary_node | wc -w) -eq 2 ]] && [[ \"$currenty_primary_host\" != \"$REPMGR_NODE_NETWORK_NAME\" ]]; then\n info \"New primary detected, leaving the cluster...\"\n return_value=0\n else\n info \"Waiting for a new primary to be available...\"\n fi\n return $return_value\n }\n\n export MODULE=\"pre-stop-hook\"\n\n if [[ \"${BITNAMI_DEBUG}\" == \"true\" ]]; then\n info \"Bash debug is on\"\n else\n info \"Bash debug is off\"\n exec 1>\/dev\/null\n exec 2>\/dev\/null\n fi\n\n # Load PostgreSQL & repmgr environment variables\n . \/opt\/bitnami\/scripts\/postgresql-env.sh\n\n postgresql_enable_nss_wrapper\n\n # Prepare env vars for managing roles\n primary_node=\"$(repmgr_get_primary_node)\"\n primary_host=\"$(echo $primary_node | awk '{print $1}')\"\n\n # Stop postgresql for graceful exit.\n postgresql_stop\n\n if [[ \"$primary_host\" == \"$REPMGR_NODE_NETWORK_NAME\" ]]; then\n info \"Primary node need to wait for a new primary node before leaving the cluster\"\n retry_while is_new_primary_ready 10 5\n else\n info \"Standby node doesn't need to wait, leaving the cluster.\"\n fi<\/code><\/pre>\nCreate the configmap<\/p>\n
kubectl apply -f postgres-configmap.yaml -n database<\/code><\/pre>\nIt’s important to understand what the script is trying to do. Here is the overview:<\/p>\n
\n- The script first checks what type of component is getting stopped i.e. master or follower.<\/li>\n
- In case the master is getting stopped – the script delays the stoppage of the pod until a previous follower gets promoted to master.<\/li>\n
- This is done to ensure high availabiliy i.e. atleast one master with write capabilities should exist.<\/li>\n<\/ol>\n
Confusing? Don’t worry. Just follow on. After reading the high availability section, the above points would become clear and make much more sense. <\/p>\n
Be sure to go through the script and revisit the points.<\/p>\n
Deploy PostgreSQL Services<\/strong><\/h2>\nServices in Kubernetes are the objects that pods use to communicate with each other. Services of type ClusterIP<\/code> are usually used for inter-pod communication.<\/p>\nThere are two types of ClusterIP services<\/p>\n
\n- Headless Services<\/li>\n
- Services<\/li>\n<\/ol>\n
Normal Kubernetes services act as load balancers and follow round-robin logic<\/strong> to distribute loads. Headless services don\u2019t act like load balancers. Also, normal services are assigned IPs by Kubernetes whereas Headless services are not.<\/p>\nIn the case of Postgres servers, we require a headless service because it is a requirement for the PostgresSQL statefulset.<\/p>\n
Save the following manifest as postgres-headless-svc.yaml<\/code>.<\/p>\napiVersion: v1\nkind: Service\nmetadata:\n name: postgres-headless-svc\nspec:\n type: ClusterIP\n clusterIP: None\n ports:\n - name: postgresql\n port: 5432\n targetPort: postgresql\n protocol: TCP \n selector:\n app: postgres<\/code><\/pre>\nCreate the service.<\/p>\n
kubectl apply -f postgres-headless-svc.yaml -n database<\/code><\/pre>\nCreate PostgresSQL Server Secrets<\/strong><\/h2>\nSecrets in Kubernetes are the objects used for supplying sensitive information to containers. They are like ConfigMaps with the difference that data is store in a base 64 encoded format.<\/p>\n
For the security of our PostgreSQL cluster, it is wise to restrict access to the database with a password. We will use Secrets to mount our desired passwords to the containers.<\/p>\n
Note:<\/strong> In production use cases, a secrets management solution like hashicorp vault will be used to store and retrive secrets. You can refer to hashicorp vault setup guide<\/a> on Kubernetes to understand more.<\/p><\/blockquote>\nSave the following manifest as postgres-secrets.yaml<\/code>. Please change the password with a secure password of your own.<\/p>\napiVersion: v1\nkind: Secret\nmetadata:\n name: postgres-secrets\ndata:\n postgresql-password: \"V2JyVHBOM2c3cQ==\"\n repmgr-password: \"c1ZwYm90R2d4Nw==\"<\/code><\/pre>\nCreate the Secret.<\/p>\n
kubectl apply -f postgres-secrets.yaml -n database<\/code><\/pre>\nWhen the cluster is initialized, it creates certain users like postgres<\/code> & repmgr<\/code> in our case. The above passwords are for these users.<\/p>\nPostgreSQL StatefulSet<\/strong><\/h2>\nWhile deploying the PostgreSQL on Kubernetes, what object type should be used and why? Deployments<\/strong><\/a> or StatefulSets?<\/strong> <\/p>\nThe answer is StatefulSet. Let’s discuss!<\/p>\n
StatefulSet is the Kubernetes object used to manage stateful applications. It\u2019s preferred over deployments for this use case as it provides guarantees about the ordering and uniqueness of these Pods i.e. the management of volumes is better with stateful sets.<\/p>\n
This section is critical to get a deeper understanding of the deployment logic. So read with full concentration!<\/p>\n
As a beginner, it is important to understand why we want to deploy a Statefulset and not Deployments. After all, our focus is on understanding the \u2018why\u2019 along with learning the \u2018how\u2019.<\/p>\n
Why do We Need PostgreSQL<\/strong> Statefulset?<\/strong><\/h2>\nPostgres is going to be a stateful application i.e. it stores data (like tables, users) inside a volume. If the data is stored in pod ephemeral storage, then the data will get erased once the pod restarts.<\/p>\n
Also, Postgres may have to be scaled to more than one pod in caseload increases.<\/p>\n
All these operations have to be done in such a way that data consistency is maintained across all the pods like postgres-<\/code>0, postgres-1<\/code>, postgres-2<\/code>.<\/p>\nHow can we achieve this in Kubernetes? Think and then read ahead!<\/p>\n
Postgres implements continuous replication of data across all its pods. So when data is written on postgres-0<\/code> it gets replicated into postgres-1<\/code>. postgres-2<\/code> replicates data from postgres-3<\/code>. And so on\u2026<\/p>\nPostgres is able to do this continuous replication using an open-source tool called RepMgr<\/a> which comes built-in with Postgres docker image.<\/p>\nThe thing to understand here is that postgres-1<\/code> needs to know where to look for postgres-0<\/code>. Otherwise, How will the replication happen?<\/p>\n\n- How will it know from where to fetch data for the replication process?<\/li>\n
- How will postgres-1 know where to look for postgres-0?<\/li>\n
- How will postgres-2 know where to look for postgres-1?<\/li>\n<\/ol>\n
Let\u2019s try to answer these questions now.<\/p>\n
In case of deployments & stateful sets, pods are always assigned a unique name that can be used to look for the pods.<\/p>\n
In the case of deployments,<\/strong> pods are always assigned a unique name but this unique name changes after the pod are deleted & recreated<\/strong>. So it\u2019s not useful to identify any pod.<\/p>\nCase of deployments: name of pod initially: postgres-bcr25qd41c-skxpe <\/code><\/pre>\nIn the case of the stateful set <\/strong>\u2013 each pod is assigned a unique name and this unique name stays with it even if the pod is deleted <\/strong>& recreated.<\/p>\nCase of statefulsets: name of pod initially: postgres-0 <\/code><\/pre>\nThat\u2019s why we want to use a stateful set here i.e. so that we can reach any pod without any discrepancies.<\/p>\n
Also, this unique ordering ensures that each pod is allocated the same underlying volume irrespective of pod restarts.<\/p>\n
These concepts of Statefulset & deployments are not unique to Postgres deployments, if you explore \u2013 you\u2019ll find that many popular Kubernetes tools use stateful sets.<\/p>\n
Some examples are Hashicorp’s Vault, Elasticsearch, and many more. All of them use Stateful Set and not deployments due to the same logic.<\/p>\n
Deploy PostgreSQL StatefulSet<\/strong><\/h2>\nFirst, let\u2019s create the Statefulset. I have added an explanation for the Postgres Statefulset as well towards the end of this section.<\/p>\n
Save the following manifest as postgres-statefulset.yaml<\/code><\/p>\napiVersion: apps\/v1\nkind: StatefulSet\nmetadata:\n name: postgres-sts\nspec:\n serviceName: postgres-headless-svc\n replicas: 3\n selector:\n matchLabels:\n app: postgres\n template:\n metadata:\n labels:\n app: postgres\n spec:\n securityContext:\n fsGroup: 1001\n containers:\n - name: postgresql\n lifecycle:\n preStop:\n exec:\n command:\n - \/pre-stop.sh\n image: docker.io\/bitnami\/postgresql-repmgr:11.12.0-debian-10-r44\n imagePullPolicy: \"IfNotPresent\"\n securityContext:\n runAsUser: 1001\n # Auxiliary vars to populate environment variables\n env:\n - name: BITNAMI_DEBUG\n value: \"false\"\n # PostgreSQL configuration\n - name: POSTGRESQL_VOLUME_DIR\n value: \"\/bitnami\/postgresql\"\n - name: PGDATA\n value: \"\/bitnami\/postgresql\/data\"\n - name: POSTGRES_USER\n value: \"postgres\"\n - name: POSTGRES_PASSWORD\n valueFrom:\n secretKeyRef:\n name: postgres-secrets\n key: postgresql-password\n - name: POSTGRES_DB\n value: \"postgres\"\n - name: POSTGRESQL_LOG_HOSTNAME\n value: \"true\"\n - name: POSTGRESQL_LOG_CONNECTIONS\n value: \"false\"\n - name: POSTGRESQL_LOG_DISCONNECTIONS\n value: \"false\"\n - name: POSTGRESQL_PGAUDIT_LOG_CATALOG\n value: \"off\"\n - name: POSTGRESQL_CLIENT_MIN_MESSAGES\n value: \"error\"\n - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES\n value: \"pgaudit, repmgr\"\n - name: POSTGRESQL_ENABLE_TLS\n value: \"no\"\n # Repmgr configuration\n - name: MY_POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n - name: REPMGR_UPGRADE_EXTENSION\n value: \"no\"\n - name: REPMGR_PGHBA_TRUST_ALL\n value: \"no\"\n - name: REPMGR_MOUNTED_CONF_DIR\n value: \"\/bitnami\/repmgr\/conf\"\n - name: REPMGR_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: REPMGR_PARTNER_NODES\n value: postgres-sts-0.postgres-headless-svc.$(REPMGR_NAMESPACE).svc.cluster.local,postgres-sts-1.postgres-headless-svc.$(REPMGR_NAMESPACE).svc.cluster.local,postgres-sts-2.postgres-headless-svc.$(REPMGR_NAMESPACE).svc.cluster.local\n - name: REPMGR_PRIMARY_HOST\n value: \"postgres-sts-0.postgres-headless-svc.$(REPMGR_NAMESPACE).svc.cluster.local\"\n - name: REPMGR_NODE_NAME\n value: \"$(MY_POD_NAME)\"\n - name: REPMGR_NODE_NETWORK_NAME\n value: \"$(MY_POD_NAME).postgres-headless-svc.$(REPMGR_NAMESPACE).svc.cluster.local\"\n - name: REPMGR_LOG_LEVEL\n value: \"NOTICE\"\n - name: REPMGR_CONNECT_TIMEOUT\n value: \"5\"\n - name: REPMGR_RECONNECT_ATTEMPTS\n value: \"3\"\n - name: REPMGR_RECONNECT_INTERVAL\n value: \"5\"\n - name: REPMGR_USERNAME\n value: \"repmgr\"\n - name: REPMGR_PASSWORD\n valueFrom:\n secretKeyRef:\n name: postgres-secrets\n key: repmgr-password\n - name: REPMGR_DATABASE\n value: \"repmgr\"\n ports:\n - name: postgresql\n containerPort: 5432\n protocol: TCP\n livenessProbe:\n exec:\n command:\n - bash\n - -ec\n - 'PGPASSWORD=$POSTGRES_PASSWORD psql -w -U \"postgres\" -d \"postgres\" -h 127.0.0.1 -c \"SELECT 1\"'\n initialDelaySeconds: 30\n periodSeconds: 10\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 6\n readinessProbe:\n exec:\n command:\n - bash\n - -ec\n - 'PGPASSWORD=$POSTGRES_PASSWORD psql -w -U \"postgres\" -d \"postgres\" -h 127.0.0.1 -c \"SELECT 1\"'\n initialDelaySeconds: 5\n periodSeconds: 10\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 6\n volumeMounts:\n - name: data\n mountPath: \/bitnami\/postgresql\n - name: hooks-scripts\n mountPath: \/pre-stop.sh\n subPath: pre-stop.sh\n volumes:\n - name: hooks-scripts\n configMap:\n name: postgres-configmap\n defaultMode: 0755\n volumeClaimTemplates:\n - metadata:\n name: data\n spec:\n accessModes:\n - \"ReadWriteOnce\"\n resources:\n requests:\n storage: \"1Gi\"<\/code><\/pre>\nCreate the Statefulset.<\/p>\n
kubectl apply -f postgres-statefulset.yaml -n database<\/code><\/pre>\nThe Statefulset YAML of the PostgreSQL server has components such as configmap mounts, security context, probes, etc. Let understand the key configurations.<\/p>\n
Metadata as env vars:<\/strong> In Kubernetes, information like the name of pods, the namespace of the pods can be utilized as env var for the pod. <\/p>\nThis is useful in cases where the env vars need to use pods metadata or some Kubernetes defined fields for the pods.<\/p>\n
- name: MY_POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name \n- name: REPMGR_PASSWORD\n valueFrom:\n secretKeyRef:\n name: postgres-secrets <\/code><\/pre>\nEnv vars injected through secrets:<\/strong> Sometimes the containers need to know the sensitive data in order to make use of it. <\/p>\nFor e.g. in order to assign a password to the Postgres database, the required password must be supplied securely to the Postgres container.<\/p>\n
- name: POSTGRES_PASSWORD\n valueFrom:\n secretKeyRef:\n name: postgres-secrets\n key: postgresql-password\n - name: REPMGR_PASSWORD\n valueFrom:\n secretKeyRef:\n name: postgres-secrets\n key: repmgr-password <\/code><\/pre>\nProbes:<\/strong> Probes ensure that the vault does not get stuck in a loop due to any bug and can be restarted automatically in case an unexpected error comes up.<\/p>\n livenessProbe:\n exec:\n command:\n - bash\n - -ec\n - 'PGPASSWORD=$POSTGRES_PASSWORD psql -w -U \"postgres\" -d \"postgres\" -h 127.0.0.1 -c \"SELECT 1\"'\n initialDelaySeconds: 30\n periodSeconds: 10\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 6\n readinessProbe:\n exec:\n command:\n - bash\n - -ec\n - 'PGPASSWORD=$POSTGRES_PASSWORD psql -w -U \"postgres\" -d \"postgres\" -h 127.0.0.1 -c \"SELECT 1\"'\n initialDelaySeconds: 5\n periodSeconds: 10\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 6<\/code><\/pre>\nBasic principle of the above probes<\/strong><\/h3>\nHere the command used is just going to the “postgres<\/code>” database using the “postgres<\/code>” user and running the “SELECT 1” query. <\/p>\nIf the Postgres process is running correctly, then the query will have a successful exit code. Otherwise not. <\/p>\n
That’s how we can be sure that the probes can tell us if the process is running or the container needs to be restarted!<\/p>\n
VolumeClaimTemplates: <\/strong>A template by which a stateful set can create volumes for replicas.<\/p>\n volumeClaimTemplates:\n - metadata:\n name: data\n spec:\n accessModes:\n - \"ReadWriteOnce\"\n resources:\n requests:\n storage: \"1Gi\"<\/code><\/pre>\nLet’s go through the important env vars for the Postgres process now.<\/p>\n
\n- POSTGRESQL_VOLUME_DIR<\/strong>: The directory where the Postgres process shall write its configuration files and data. This is the directory that we should mount with a PVC.<\/li>\n
- PGDATA<\/strong>: The directory inside the main Postgres directory where the data directory should be created.<\/li>\n
- POSTGRES_USER<\/strong>: The user that should be created automatically when the Postgres process starts.<\/li>\n
- POSTGRES_PASSWORD<\/strong>: The password for the user created by default.<\/li>\n
- POSTGRES_DB<\/strong>: The database which should be created when the Postgres process starts.<\/li>\n<\/ol>\n
Let’s discuss the RepMgr<\/strong> now.<\/p>\nRepMgr Inside PostgresSQL Servers<\/strong><\/h2>\nRepMgr is an open-source tool shipped with Postgres which serves two purposes: Replication & Failover.<\/p>\n
\n- Replication<\/strong>: It replicates data from the primary server to all the replicas. This helps in reducing the load on the servers by distributing read & write queries.<\/li>\n
- Failover<\/strong>: It can handle failovers in the cluster i.e. it can promote a read-only server to a primary server when required.<\/li>\n<\/ol>\n
git clone https:\/\/github.com\/scriptcamp\/kubernetes-postgresql.git<\/code><\/pre>\nWe have explained all the manifests required for PostgreSQL on Kubernetes. If you have trouble copying the manifests from the article, please clone and refer to the manifests directly.<\/p>\n
We have categorized the manifest into three folders named client<\/strong>, pgpool<\/strong> and postgresql<\/strong> as shown below.<\/p>\n\u251c\u2500\u2500 client\n\u2502 \u251c\u2500\u2500 client-pod.yaml\n\u2502 \u2514\u2500\u2500 psql-client.yaml\n\u251c\u2500\u2500 pgpool\n\u2502 \u251c\u2500\u2500 nginx.yaml\n\u2502 \u251c\u2500\u2500 pgpool-deployment.yaml\n\u2502 \u251c\u2500\u2500 pgpool-secret.yaml\n\u2502 \u251c\u2500\u2500 pgpool-svc-nodeport.yaml\n\u2502 \u2514\u2500\u2500 pgpool-svc.yaml\n\u2514\u2500\u2500 postgresql\n \u251c\u2500\u2500 postgres-configmap.yaml\n \u251c\u2500\u2500 postgres-headless-svc.yaml\n \u251c\u2500\u2500 postgres-secrets.yaml\n \u2514\u2500\u2500 postgres-statefulset.yaml<\/code><\/pre>\nIf you wish to deploy the components in one go, cd into each directory and execute the following. Start with postgresql<\/strong> directory.<\/p>\nkubectl apply -f .<\/code><\/pre>\nBitnami PostgreSQL Docker Image<\/strong><\/h2>\nThis tutorial has used Bitnami docker images, this has been done intentionally. There are certain advantages you can get as a beginner by using a Bitnami image.<\/p>\n
\n- Bitnami images are shipped with necessary components pre-installed. This lets us maintain our focus can understanding and becoming familiar with Kubernetes side of things in depth.<\/li>\n
- Bitnami images are well tested and validated before being released. This helps us save time and overcome any problems we may face with newer versions or patches.<\/li>\n
- Bitnami images are very well documented, you’ll find a satisfactory explaination of each and every environment variable being used by the bitnami image. So a natural fit for beginners.<\/li>\n<\/ol>\n
Above all, as a beginner – we should focus on understanding kubernetes components and avoid getting off our goal due to installing dozens of packages, finding documentation, etc.<\/p>\n
Bitnami does just that for us.<\/p>\n
High Level Architecture<\/h2>\n<\/figure>\nCreate a Namespace<\/h2>\n
To deploy the PostgreSQL cluster, we will create a dedicated namespace named database.<\/p>\n
kubectl create namespace database<\/code><\/pre>\nThe manifest files do not have the namespace added to them. So we will add the namespace while deploying each component. If you don’t specify the namespace, it gets deployed in the default namespace.<\/p>\n
Creating Postgres Server ConfigMaps<\/strong><\/h2>\nA ConfigMaps in Kubernetes lets us mount files on containers without the need to make changes to the Dockerfile or rebuilding the container image.<\/p>\n
This feature is extremely helpful in cases where configurations have to be modified or created through files.<\/p>\n
Postgres requires a script (pre-stop.sh<\/code>) to be run whenever it is about to be stopped. We will mount this script into the pod using config maps.<\/p>\nSave the following manifest as postgres-configmap.yaml<\/code><\/p>\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: postgres-configmap\ndata:\n pre-stop.sh: |-\n #!\/bin\/bash\n set -o errexit\n set -o pipefail\n set -o nounset\n\n # Debug section\n exec 3>&1\n exec 4>&2\n\n # Load Libraries\n . \/opt\/bitnami\/scripts\/liblog.sh\n . \/opt\/bitnami\/scripts\/libpostgresql.sh\n . \/opt\/bitnami\/scripts\/librepmgr.sh\n\n # Auxiliary functions\n is_new_primary_ready() {\n return_value=1\n currenty_primary_node=\"$(repmgr_get_primary_node)\"\n currenty_primary_host=\"$(echo $currenty_primary_node | awk '{print $1}')\"\n\n info \"$currenty_primary_host != $REPMGR_NODE_NETWORK_NAME\"\n if [[ $(echo $currenty_primary_node | wc -w) -eq 2 ]] && [[ \"$currenty_primary_host\" != \"$REPMGR_NODE_NETWORK_NAME\" ]]; then\n info \"New primary detected, leaving the cluster...\"\n return_value=0\n else\n info \"Waiting for a new primary to be available...\"\n fi\n return $return_value\n }\n\n export MODULE=\"pre-stop-hook\"\n\n if [[ \"${BITNAMI_DEBUG}\" == \"true\" ]]; then\n info \"Bash debug is on\"\n else\n info \"Bash debug is off\"\n exec 1>\/dev\/null\n exec 2>\/dev\/null\n fi\n\n # Load PostgreSQL & repmgr environment variables\n . \/opt\/bitnami\/scripts\/postgresql-env.sh\n\n postgresql_enable_nss_wrapper\n\n # Prepare env vars for managing roles\n primary_node=\"$(repmgr_get_primary_node)\"\n primary_host=\"$(echo $primary_node | awk '{print $1}')\"\n\n # Stop postgresql for graceful exit.\n postgresql_stop\n\n if [[ \"$primary_host\" == \"$REPMGR_NODE_NETWORK_NAME\" ]]; then\n info \"Primary node need to wait for a new primary node before leaving the cluster\"\n retry_while is_new_primary_ready 10 5\n else\n info \"Standby node doesn't need to wait, leaving the cluster.\"\n fi<\/code><\/pre>\nCreate the configmap<\/p>\n
kubectl apply -f postgres-configmap.yaml -n database<\/code><\/pre>\nIt’s important to understand what the script is trying to do. Here is the overview:<\/p>\n
\n- The script first checks what type of component is getting stopped i.e. master or follower.<\/li>\n
- In case the master is getting stopped – the script delays the stoppage of the pod until a previous follower gets promoted to master.<\/li>\n
- This is done to ensure high availabiliy i.e. atleast one master with write capabilities should exist.<\/li>\n<\/ol>\n
Confusing? Don’t worry. Just follow on. After reading the high availability section, the above points would become clear and make much more sense. <\/p>\n
Be sure to go through the script and revisit the points.<\/p>\n
Deploy PostgreSQL Services<\/strong><\/h2>\nServices in Kubernetes are the objects that pods use to communicate with each other. Services of type ClusterIP<\/code> are usually used for inter-pod communication.<\/p>\nThere are two types of ClusterIP services<\/p>\n
\n- Headless Services<\/li>\n
- Services<\/li>\n<\/ol>\n
Normal Kubernetes services act as load balancers and follow round-robin logic<\/strong> to distribute loads. Headless services don\u2019t act like load balancers. Also, normal services are assigned IPs by Kubernetes whereas Headless services are not.<\/p>\nIn the case of Postgres servers, we require a headless service because it is a requirement for the PostgresSQL statefulset.<\/p>\n
Save the following manifest as postgres-headless-svc.yaml<\/code>.<\/p>\napiVersion: v1\nkind: Service\nmetadata:\n name: postgres-headless-svc\nspec:\n type: ClusterIP\n clusterIP: None\n ports:\n - name: postgresql\n port: 5432\n targetPort: postgresql\n protocol: TCP \n selector:\n app: postgres<\/code><\/pre>\nCreate the service.<\/p>\n
kubectl apply -f postgres-headless-svc.yaml -n database<\/code><\/pre>\nCreate PostgresSQL Server Secrets<\/strong><\/h2>\nSecrets in Kubernetes are the objects used for supplying sensitive information to containers. They are like ConfigMaps with the difference that data is store in a base 64 encoded format.<\/p>\n
For the security of our PostgreSQL cluster, it is wise to restrict access to the database with a password. We will use Secrets to mount our desired passwords to the containers.<\/p>\n
Note:<\/strong> In production use cases, a secrets management solution like hashicorp vault will be used to store and retrive secrets. You can refer to hashicorp vault setup guide<\/a> on Kubernetes to understand more.<\/p><\/blockquote>\nSave the following manifest as postgres-secrets.yaml<\/code>. Please change the password with a secure password of your own.<\/p>\napiVersion: v1\nkind: Secret\nmetadata:\n name: postgres-secrets\ndata:\n postgresql-password: \"V2JyVHBOM2c3cQ==\"\n repmgr-password: \"c1ZwYm90R2d4Nw==\"<\/code><\/pre>\nCreate the Secret.<\/p>\n
kubectl apply -f postgres-secrets.yaml -n database<\/code><\/pre>\nWhen the cluster is initialized, it creates certain users like postgres<\/code> & repmgr<\/code> in our case. The above passwords are for these users.<\/p>\nPostgreSQL StatefulSet<\/strong><\/h2>\nWhile deploying the PostgreSQL on Kubernetes, what object type should be used and why? Deployments<\/strong><\/a> or StatefulSets?<\/strong> <\/p>\nThe answer is StatefulSet. Let’s discuss!<\/p>\n
StatefulSet is the Kubernetes object used to manage stateful applications. It\u2019s preferred over deployments for this use case as it provides guarantees about the ordering and uniqueness of these Pods i.e. the management of volumes is better with stateful sets.<\/p>\n
This section is critical to get a deeper understanding of the deployment logic. So read with full concentration!<\/p>\n
As a beginner, it is important to understand why we want to deploy a Statefulset and not Deployments. After all, our focus is on understanding the \u2018why\u2019 along with learning the \u2018how\u2019.<\/p>\n
Why do We Need PostgreSQL<\/strong> Statefulset?<\/strong><\/h2>\nPostgres is going to be a stateful application i.e. it stores data (like tables, users) inside a volume. If the data is stored in pod ephemeral storage, then the data will get erased once the pod restarts.<\/p>\n
Also, Postgres may have to be scaled to more than one pod in caseload increases.<\/p>\n
All these operations have to be done in such a way that data consistency is maintained across all the pods like postgres-<\/code>0, postgres-1<\/code>, postgres-2<\/code>.<\/p>\nHow can we achieve this in Kubernetes? Think and then read ahead!<\/p>\n
Postgres implements continuous replication of data across all its pods. So when data is written on postgres-0<\/code> it gets replicated into postgres-1<\/code>. postgres-2<\/code> replicates data from postgres-3<\/code>. And so on\u2026<\/p>\nPostgres is able to do this continuous replication using an open-source tool called RepMgr<\/a> which comes built-in with Postgres docker image.<\/p>\nThe thing to understand here is that postgres-1<\/code> needs to know where to look for postgres-0<\/code>. Otherwise, How will the replication happen?<\/p>\n\n- How will it know from where to fetch data for the replication process?<\/li>\n
- How will postgres-1 know where to look for postgres-0?<\/li>\n
- How will postgres-2 know where to look for postgres-1?<\/li>\n<\/ol>\n
Let\u2019s try to answer these questions now.<\/p>\n
In case of deployments & stateful sets, pods are always assigned a unique name that can be used to look for the pods.<\/p>\n
In the case of deployments,<\/strong> pods are always assigned a unique name but this unique name changes after the pod are deleted & recreated<\/strong>. So it\u2019s not useful to identify any pod.<\/p>\nCase of deployments: name of pod initially: postgres-bcr25qd41c-skxpe <\/code><\/pre>\nIn the case of the stateful set <\/strong>\u2013 each pod is assigned a unique name and this unique name stays with it even if the pod is deleted <\/strong>& recreated.<\/p>\nCase of statefulsets: name of pod initially: postgres-0 <\/code><\/pre>\nThat\u2019s why we want to use a stateful set here i.e. so that we can reach any pod without any discrepancies.<\/p>\n
Also, this unique ordering ensures that each pod is allocated the same underlying volume irrespective of pod restarts.<\/p>\n
These concepts of Statefulset & deployments are not unique to Postgres deployments, if you explore \u2013 you\u2019ll find that many popular Kubernetes tools use stateful sets.<\/p>\n
Some examples are Hashicorp’s Vault, Elasticsearch, and many more. All of them use Stateful Set and not deployments due to the same logic.<\/p>\n
Deploy PostgreSQL StatefulSet<\/strong><\/h2>\nFirst, let\u2019s create the Statefulset. I have added an explanation for the Postgres Statefulset as well towards the end of this section.<\/p>\n
Save the following manifest as postgres-statefulset.yaml<\/code><\/p>\napiVersion: apps\/v1\nkind: StatefulSet\nmetadata:\n name: postgres-sts\nspec:\n serviceName: postgres-headless-svc\n replicas: 3\n selector:\n matchLabels:\n app: postgres\n template:\n metadata:\n labels:\n app: postgres\n spec:\n securityContext:\n fsGroup: 1001\n containers:\n - name: postgresql\n lifecycle:\n preStop:\n exec:\n command:\n - \/pre-stop.sh\n image: docker.io\/bitnami\/postgresql-repmgr:11.12.0-debian-10-r44\n imagePullPolicy: \"IfNotPresent\"\n securityContext:\n runAsUser: 1001\n # Auxiliary vars to populate environment variables\n env:\n - name: BITNAMI_DEBUG\n value: \"false\"\n # PostgreSQL configuration\n - name: POSTGRESQL_VOLUME_DIR\n value: \"\/bitnami\/postgresql\"\n - name: PGDATA\n value: \"\/bitnami\/postgresql\/data\"\n - name: POSTGRES_USER\n value: \"postgres\"\n - name: POSTGRES_PASSWORD\n valueFrom:\n secretKeyRef:\n name: postgres-secrets\n key: postgresql-password\n - name: POSTGRES_DB\n value: \"postgres\"\n - name: POSTGRESQL_LOG_HOSTNAME\n value: \"true\"\n - name: POSTGRESQL_LOG_CONNECTIONS\n value: \"false\"\n - name: POSTGRESQL_LOG_DISCONNECTIONS\n value: \"false\"\n - name: POSTGRESQL_PGAUDIT_LOG_CATALOG\n value: \"off\"\n - name: POSTGRESQL_CLIENT_MIN_MESSAGES\n value: \"error\"\n - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES\n value: \"pgaudit, repmgr\"\n - name: POSTGRESQL_ENABLE_TLS\n value: \"no\"\n # Repmgr configuration\n - name: MY_POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n - name: REPMGR_UPGRADE_EXTENSION\n value: \"no\"\n - name: REPMGR_PGHBA_TRUST_ALL\n value: \"no\"\n - name: REPMGR_MOUNTED_CONF_DIR\n value: \"\/bitnami\/repmgr\/conf\"\n - name: REPMGR_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: REPMGR_PARTNER_NODES\n value: postgres-sts-0.postgres-headless-svc.$(REPMGR_NAMESPACE).svc.cluster.local,postgres-sts-1.postgres-headless-svc.$(REPMGR_NAMESPACE).svc.cluster.local,postgres-sts-2.postgres-headless-svc.$(REPMGR_NAMESPACE).svc.cluster.local\n - name: REPMGR_PRIMARY_HOST\n value: \"postgres-sts-0.postgres-headless-svc.$(REPMGR_NAMESPACE).svc.cluster.local\"\n - name: REPMGR_NODE_NAME\n value: \"$(MY_POD_NAME)\"\n - name: REPMGR_NODE_NETWORK_NAME\n value: \"$(MY_POD_NAME).postgres-headless-svc.$(REPMGR_NAMESPACE).svc.cluster.local\"\n - name: REPMGR_LOG_LEVEL\n value: \"NOTICE\"\n - name: REPMGR_CONNECT_TIMEOUT\n value: \"5\"\n - name: REPMGR_RECONNECT_ATTEMPTS\n value: \"3\"\n - name: REPMGR_RECONNECT_INTERVAL\n value: \"5\"\n - name: REPMGR_USERNAME\n value: \"repmgr\"\n - name: REPMGR_PASSWORD\n valueFrom:\n secretKeyRef:\n name: postgres-secrets\n key: repmgr-password\n - name: REPMGR_DATABASE\n value: \"repmgr\"\n ports:\n - name: postgresql\n containerPort: 5432\n protocol: TCP\n livenessProbe:\n exec:\n command:\n - bash\n - -ec\n - 'PGPASSWORD=$POSTGRES_PASSWORD psql -w -U \"postgres\" -d \"postgres\" -h 127.0.0.1 -c \"SELECT 1\"'\n initialDelaySeconds: 30\n periodSeconds: 10\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 6\n readinessProbe:\n exec:\n command:\n - bash\n - -ec\n - 'PGPASSWORD=$POSTGRES_PASSWORD psql -w -U \"postgres\" -d \"postgres\" -h 127.0.0.1 -c \"SELECT 1\"'\n initialDelaySeconds: 5\n periodSeconds: 10\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 6\n volumeMounts:\n - name: data\n mountPath: \/bitnami\/postgresql\n - name: hooks-scripts\n mountPath: \/pre-stop.sh\n subPath: pre-stop.sh\n volumes:\n - name: hooks-scripts\n configMap:\n name: postgres-configmap\n defaultMode: 0755\n volumeClaimTemplates:\n - metadata:\n name: data\n spec:\n accessModes:\n - \"ReadWriteOnce\"\n resources:\n requests:\n storage: \"1Gi\"<\/code><\/pre>\nCreate the Statefulset.<\/p>\n
kubectl apply -f postgres-statefulset.yaml -n database<\/code><\/pre>\nThe Statefulset YAML of the PostgreSQL server has components such as configmap mounts, security context, probes, etc. Let understand the key configurations.<\/p>\n
Metadata as env vars:<\/strong> In Kubernetes, information like the name of pods, the namespace of the pods can be utilized as env var for the pod. <\/p>\nThis is useful in cases where the env vars need to use pods metadata or some Kubernetes defined fields for the pods.<\/p>\n
- name: MY_POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name \n- name: REPMGR_PASSWORD\n valueFrom:\n secretKeyRef:\n name: postgres-secrets <\/code><\/pre>\nEnv vars injected through secrets:<\/strong> Sometimes the containers need to know the sensitive data in order to make use of it. <\/p>\nFor e.g. in order to assign a password to the Postgres database, the required password must be supplied securely to the Postgres container.<\/p>\n
- name: POSTGRES_PASSWORD\n valueFrom:\n secretKeyRef:\n name: postgres-secrets\n key: postgresql-password\n - name: REPMGR_PASSWORD\n valueFrom:\n secretKeyRef:\n name: postgres-secrets\n key: repmgr-password <\/code><\/pre>\nProbes:<\/strong> Probes ensure that the vault does not get stuck in a loop due to any bug and can be restarted automatically in case an unexpected error comes up.<\/p>\n livenessProbe:\n exec:\n command:\n - bash\n - -ec\n - 'PGPASSWORD=$POSTGRES_PASSWORD psql -w -U \"postgres\" -d \"postgres\" -h 127.0.0.1 -c \"SELECT 1\"'\n initialDelaySeconds: 30\n periodSeconds: 10\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 6\n readinessProbe:\n exec:\n command:\n - bash\n - -ec\n - 'PGPASSWORD=$POSTGRES_PASSWORD psql -w -U \"postgres\" -d \"postgres\" -h 127.0.0.1 -c \"SELECT 1\"'\n initialDelaySeconds: 5\n periodSeconds: 10\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 6<\/code><\/pre>\nBasic principle of the above probes<\/strong><\/h3>\nHere the command used is just going to the “postgres<\/code>” database using the “postgres<\/code>” user and running the “SELECT 1” query. <\/p>\nIf the Postgres process is running correctly, then the query will have a successful exit code. Otherwise not. <\/p>\n
That’s how we can be sure that the probes can tell us if the process is running or the container needs to be restarted!<\/p>\n
VolumeClaimTemplates: <\/strong>A template by which a stateful set can create volumes for replicas.<\/p>\n volumeClaimTemplates:\n - metadata:\n name: data\n spec:\n accessModes:\n - \"ReadWriteOnce\"\n resources:\n requests:\n storage: \"1Gi\"<\/code><\/pre>\nLet’s go through the important env vars for the Postgres process now.<\/p>\n
\n- POSTGRESQL_VOLUME_DIR<\/strong>: The directory where the Postgres process shall write its configuration files and data. This is the directory that we should mount with a PVC.<\/li>\n
- PGDATA<\/strong>: The directory inside the main Postgres directory where the data directory should be created.<\/li>\n
- POSTGRES_USER<\/strong>: The user that should be created automatically when the Postgres process starts.<\/li>\n
- POSTGRES_PASSWORD<\/strong>: The password for the user created by default.<\/li>\n
- POSTGRES_DB<\/strong>: The database which should be created when the Postgres process starts.<\/li>\n<\/ol>\n
Let’s discuss the RepMgr<\/strong> now.<\/p>\nRepMgr Inside PostgresSQL Servers<\/strong><\/h2>\nRepMgr is an open-source tool shipped with Postgres which serves two purposes: Replication & Failover.<\/p>\n
\n- Replication<\/strong>: It replicates data from the primary server to all the replicas. This helps in reducing the load on the servers by distributing read & write queries.<\/li>\n
- Failover<\/strong>: It can handle failovers in the cluster i.e. it can promote a read-only server to a primary server when required.<\/li>\n<\/ol>\n