Customize a Postgres Cluster
Postgres is known for its ease of customization; PGO helps you to roll out changes efficiently and without disruption. After resizing the resources for our Postgres cluster in the previous step of this tutorial, lets see how we can tweak our Postgres configuration to optimize its usage of them.
Custom Postgres Configuration
Part of the trick of managing multiple instances in a Postgres cluster is ensuring all of the configuration changes are propagated to each of them. This is where PGO helps: when you make a Postgres configuration change for a cluster, PGO will apply the changes to all of the managed instances.
For example, in our previous step we added CPU and memory limits of
4Gi respectively. Let’s tweak some of the Postgres settings to better use our new resources. We can do this in the
spec.patroni.dynamicConfiguration section. Here is an example updated manifest that tweaks several settings:
- name: instance1
- name: repo1
(If you are on OpenShift, ensure that
spec.openshift is set to
In particular, we added the following to
Apply these updates to your Kubernetes cluster with the following command:
kubectl apply -k kustomize/postgres
PGO will go and apply these settings to all of the Postgres clusters. You can verify that the changes are present using the Postgres
SHOW command, e.g.
should yield something similar to:
All connections in PGO use TLS to encrypt communication between components. PGO sets up a PKI and certificate authority (CA) that allow you create verifiable endpoints. However, you may want to bring a different TLS infrastructure based upon your organizational requirements. The good news: PGO lets you do this!
If you want to use the TLS infrastructure that PGO provides, you can skip the rest of this section and move on to learning how to apply software updates.
How to Customize TLS
There are a few different TLS endpoints that can be customized for PGO, including those of the Postgres cluster and controlling how Postgres instances authenticate with each other. Let’s look at how we can customize TLS.
You TLS certificate should have a Common Name (CN) setting that matches the primary Service name. This is the name of the cluster suffixed with
-primary. For example, for our
hippo cluster this would be
To customize the TLS for a Postgres cluster, you will need to create a Secret in the Namespace of your Postgres cluster that contains the TLS key (
tls.key), TLS certificate (
tls.crt) and the CA certificate (
ca.crt) to use. The Secret should contain the following values:
For example, if you have files named
hippo.crt stored on your local machine, you could run the following command:
kubectl create secret generic -n postgres-operator hippo.tls \
You can specify the custom TLS Secret in the
spec.customTLSSecret.name field in your
postgrescluster.postgres-operator.crunchydata.com custom resource, e.g:
If you’re unable to control the key-value pairs in the Secret, you can create a mapping that looks similar to this:
- key: <tls.crt key>
- key: <tls.key key>
- key: <ca.crt key>
spec.customTLSSecret is provided you must also provide
spec.customReplicationTLSSecret and both must contain the same
As with the other changes, you can roll out the TLS customizations with
There are several ways to add your own custom Kubernetes Labels to your Postgres cluster.
- Cluster: You can apply labels to any PGO managed object in a cluster by editing the
spec.metadata.labelssection of the custom resource.
- Postgres: You can apply labels to a Postgres instance set and its objects by editing
- pgBackRest: You can apply labels to pgBackRest and its objects by editing
- PgBouncer: You can apply labels to PgBouncer connection pooling instances by editing
There are several ways to add your own custom Kubernetes Annotations to your Postgres cluster.
- Cluster: You can apply annotations to any PGO managed object in a cluster by editing the
spec.metadata.annotationssection of the custom resource.
- Postgres: You can apply annotations to a Postgres instance set and its objects by editing
- pgBackRest: You can apply annotations to pgBackRest and its objects by editing
- PgBouncer: You can apply annotations to PgBouncer connection pooling instances by editing
Separate WAL PVCs
PostgreSQL commits transactions by storing changes in its Write-Ahead Log (WAL). Because the way WAL files are accessed and
utilized often differs from that of data files, and in high-performance situations, it can desirable to put WAL files on separate storage volume. With PGO, this can be done by adding
walVolumeClaimSpec block to your desired instance in your PostgresCluster spec, either when your cluster is created or anytime thereafter:
- name: instance
This volume can be removed later by removing the
walVolumeClaimSpec section from the instance. Note that when changing the WAL directory, care is taken so as not to lose any WAL files. PGO only
deletes the PVC once there are no longer any WAL files on the previously configured volume.
Changes Not Applied
If your Postgres configuration settings are not present, you may need to check a few things. First, ensure that you are using the syntax that Postgres expects. You can see this in the Postgres configuration documentation.
Some settings, such as
shared_buffers, require for Postgres to restart. Patroni only performs a reload when parameter changes are identified. Therefore, for parameters that require a restart, the restart can be performed manually by executing into a Postgres instance and running
patronictl restart --force <clusterName>-ha.