home-assistant: Use external PostgreSQL server
Home Assistant uses PostgreSQL for recording the history of entity states. Since we had been using the in-cluster database server for this, the data were migrated to the new external PostgreSQL server automatically when the backup from the former was restored on the latter. It follows, then, that we can point Home Assistant to the new server as well. Home Assistant uses SQLAlchemy, which in turn uses _libpq_ via _psycopg_, as a client for PostgreSQL. It doesn't expose any configuration parameters beyond the "database URL" directly, but we can use the standard environment variables to specify the certificate and private key for authentication. In fact, the empty `postgresql://` URL is sufficient, and indicates that _all_ of the connection parameters should be taken from environment variables. This makes specifying the parameters for both the `wait-for-db` init container and the main container take the exact same environment variables, so we can use YAML anchors to share their definitions.etcd
parent
a269f8a1ae
commit
215b2c6975
|
|
@ -33,7 +33,7 @@ http:
|
||||||
use_x_forwarded_for: true
|
use_x_forwarded_for: true
|
||||||
|
|
||||||
recorder:
|
recorder:
|
||||||
db_url: !env_var RECORDER_DB_URL
|
db_url: postgresql://
|
||||||
db_max_retries: 100
|
db_max_retries: 100
|
||||||
purge_keep_days: 366
|
purge_keep_days: 366
|
||||||
commit_interval: 0
|
commit_interval: 0
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ labels:
|
||||||
resources:
|
resources:
|
||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
- secrets.yaml
|
- secrets.yaml
|
||||||
|
- postgres-cert.yaml
|
||||||
- home-assistant.yaml
|
- home-assistant.yaml
|
||||||
- mosquitto-cert.yaml
|
- mosquitto-cert.yaml
|
||||||
- mosquitto.yaml
|
- mosquitto.yaml
|
||||||
|
|
@ -18,6 +19,7 @@ resources:
|
||||||
- piper.yaml
|
- piper.yaml
|
||||||
- whisper.yaml
|
- whisper.yaml
|
||||||
- ingress.yaml
|
- ingress.yaml
|
||||||
|
- ../dch-root-ca
|
||||||
|
|
||||||
configMapGenerator:
|
configMapGenerator:
|
||||||
- name: home-assistant
|
- name: home-assistant
|
||||||
|
|
@ -55,43 +57,42 @@ patches:
|
||||||
- sh
|
- sh
|
||||||
- -c
|
- -c
|
||||||
- until pg_isready; do sleep 1; done
|
- until pg_isready; do sleep 1; done
|
||||||
env:
|
env: &pgsqlenv
|
||||||
- name: PGHOST
|
- name: PGHOST
|
||||||
value: default.postgresql
|
value: postgresql.pyrocufflink.blue
|
||||||
- name: PGGDATABASE
|
- name: PGGDATABASE
|
||||||
value: homeassistant
|
value: homeassistant
|
||||||
- name: PGUSER
|
- name: PGUSER
|
||||||
valueFrom:
|
value: homeassistant
|
||||||
secretKeyRef:
|
- name: PGSSLMODE
|
||||||
name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
|
value: verify-full
|
||||||
key: username
|
- name: PGSSLROOTCERT
|
||||||
- name: PGPASSWORD
|
value: /run/dch-ca/dch-root-ca.crt
|
||||||
valueFrom:
|
- name: PGSSLCERT
|
||||||
secretKeyRef:
|
value: /run/secrets/home-assistant/postgresql/tls.crt
|
||||||
name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
|
- name: PGSSLKEY
|
||||||
key: password
|
value: /run/secrets/home-assistant/postgresql/tls.key
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /run/dch-ca/
|
||||||
|
name: dch-root-ca
|
||||||
|
readOnly: true
|
||||||
|
- mountPath: /run/secrets/home-assistant/postgresql
|
||||||
|
name: postgresql-cert
|
||||||
containers:
|
containers:
|
||||||
- name: home-assistant
|
- name: home-assistant
|
||||||
env:
|
env: *pgsqlenv
|
||||||
- name: RECORDER_DB_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
|
|
||||||
key: password
|
|
||||||
- name: RECORDER_DB_USERNAME
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
|
|
||||||
key: username
|
|
||||||
- name: RECORDER_DB_URL
|
|
||||||
value: postgresql://$(RECORDER_DB_USERNAME):$(RECORDER_DB_PASSWORD)@default.postgresql/homeassistant
|
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- mountPath: /run/config
|
- mountPath: /run/config
|
||||||
name: home-assistant-config
|
name: home-assistant-config
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
- mountPath: /run/dch-ca/
|
||||||
|
name: dch-root-ca
|
||||||
|
readOnly: true
|
||||||
- mountPath: /run/secrets/home-assistant
|
- mountPath: /run/secrets/home-assistant
|
||||||
name: home-assistant-secrets
|
name: home-assistant-secrets
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
- mountPath: /run/secrets/home-assistant/postgresql
|
||||||
|
name: postgresql-cert
|
||||||
volumes:
|
volumes:
|
||||||
- name: home-assistant-config
|
- name: home-assistant-config
|
||||||
configMap:
|
configMap:
|
||||||
|
|
@ -101,3 +102,10 @@ patches:
|
||||||
secret:
|
secret:
|
||||||
secretName: home-assistant
|
secretName: home-assistant
|
||||||
defaultMode: 0640
|
defaultMode: 0640
|
||||||
|
- name: postgresql-cert
|
||||||
|
secret:
|
||||||
|
secretName: postgres-client-cert
|
||||||
|
defaultMode: 0640
|
||||||
|
- name: dch-root-ca
|
||||||
|
configMap:
|
||||||
|
name: dch-root-ca
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,13 @@
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: postgres-client-cert
|
||||||
|
spec:
|
||||||
|
commonName: homeassistant
|
||||||
|
privateKey:
|
||||||
|
algorithm: ECDSA
|
||||||
|
secretName: postgres-client-cert
|
||||||
|
issuerRef:
|
||||||
|
name: postgresql-ca
|
||||||
|
kind: ClusterIssuer
|
||||||
|
|
||||||
Loading…
Reference in New Issue