Allow Streaming Replication

Clusters can now be configured to automatically enable streaming
replication from a remote primary.

- The `spec.standby` section of the postgrescluster spec allows users to
  define a `host` and `port` that point to a remote primary
- The `repoName` field is now optional
- Certificate auth is required when connecting to the primary. Users
  must configure custom tls certs on the standby that allow this
  authentication method
- Replication user will be the default `_crunchyrepl` user
- A cluster will not be created if the standby spec is invalid
- kuttl: deploy two clusters, a primary and standby, in a single
  namespace. Ensure that the standby cluster has replicated the primary
  data and the walreciever process is running

Author: jmckulk

config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml

@@ -10656,16 +10656,24 @@ spec:
                   enabled:
                     default: true
                     description: Whether or not the PostgreSQL cluster should be read-only.
-                      When this is true, WAL files are applied from the pgBackRest
-                      repository.
+                      When this is true, WAL files are applied from a pgBackRest repository
+                      or another PostgreSQL server.
                     type: boolean
+                  host:
+                    description: Network address of the PostgreSQL server to follow
+                      via streaming replication.
+                    type: string
+                  port:
+                    description: Network port of the PostgreSQL server to follow via
+                      streaming replication.
+                    format: int32
+                    minimum: 1024
+                    type: integer
                   repoName:
                     description: The name of the pgBackRest repository to follow for
                       WAL files.
                     pattern: ^repo[1-4]
                     type: string
-                required:
-                - repoName
                 type: object
               supplementalGroups:
                 description: 'A list of group IDs applied to the process of a container.

docs/content/architecture/disaster-recovery.md

@@ -5,115 +5,117 @@ draft: false
 weight: 140
 ---
 
-![PostgreSQL Operator High-Availability Overview](/images/postgresql-ha-multi-data-center.png)
-
-Advanced [high-availability]({{< relref "architecture/high-availability.md" >}})
-and [backup management]({{< relref "architecture/backups.md" >}})
-strategies involve spreading your database clusters across multiple data centers
-to help maximize uptime. In Kubernetes, this technique is known as "[federation](https://en.wikipedia.org/wiki/Federation_(information_technology))".
-Federated Kubernetes clusters are able to communicate with each other,
+Advanced high-availability and disaster recovery strategies involve spreading
+your database clusters across multiple data centers to help maximize uptime.
+In Kubernetes, this technique is known as "[federation](https://en.wikipedia.org/wiki/Federation_(information_technology))".
+Federated Kubernetes clusters can communicate with each other,
 coordinate changes, and provide resiliency for applications that have high
 uptime requirements.
 
 As of this writing, federation in Kubernetes is still in ongoing development
 and is something we monitor with intense interest. As Kubernetes federation
 continues to mature, we wanted to provide a way to deploy PostgreSQL clusters
 managed by the [PostgreSQL Operator](https://www.crunchydata.com/developers/download-postgres/containers/postgres-operator)
-that can span multiple Kubernetes clusters. This can be accomplished with a
-few environmental setups:
-
-- Two Kubernetes clusters
-- An external storage system, using one of the following:
-  - S3, or an external storage system that uses the S3 protocol
-  - GCS
-  - Azure Blob Storage
-  - A Kubernetes storage system that can span multiple clusters
+that can span multiple Kubernetes clusters.
 
 At a high-level, the PostgreSQL Operator follows the "active-standby" data
 center deployment model for managing the PostgreSQL clusters across Kubernetes
-clusters. In one Kubernetes cluster, the PostgreSQL Operator deploy PostgreSQL as an
+clusters. In one Kubernetes cluster, the PostgreSQL Operator deploys PostgreSQL as an
 "active" PostgreSQL cluster, which means it has one primary and one-or-more
 replicas. In another Kubernetes cluster, the PostgreSQL cluster is deployed as
 a "standby" cluster: every PostgreSQL instance is a replica.
 
 A side-effect of this is that in each of the Kubernetes clusters, the PostgreSQL
 Operator can be used to deploy both active and standby PostgreSQL clusters,
-allowing you to mix and match! While the mixing and matching may not ideal for
+allowing you to mix and match! While the mixing and matching may not be ideal for
 how you deploy your PostgreSQL clusters, it does allow you to perform online
 moves of your PostgreSQL data to different Kubernetes clusters as well as manual
 online upgrades.
 
 Lastly, while this feature does extend high-availability, promoting a standby
 cluster to an active cluster is **not** automatic. While the PostgreSQL clusters
-within a Kubernetes cluster do support self-managed high-availability, a
-cross-cluster deployment requires someone to specifically promote the cluster
+within a Kubernetes cluster support self-managed high-availability, a
+cross-cluster deployment requires someone to promote the cluster
 from standby to active.
 
 ## Standby Cluster Overview
 
-Standby PostgreSQL clusters are managed just like any other PostgreSQL cluster
-that is managed by the PostgreSQL Operator. For example, adding replicas to a
-standby cluster is identical as adding them to a primary cluster.
+Standby PostgreSQL clusters are managed like any other PostgreSQL cluster that the PostgreSQL
+Operator manages. For example, adding replicas to a standby cluster is identical to adding them to a
+primary cluster.
 
-As the architecture diagram above shows, the main difference is that there is
-no primary instance: one PostgreSQL instance is reading in the database changes
-from the backup repository, while the other replicas are replicas of that instance.
-This is known as [cascading replication](https://www.postgresql.org/docs/current/warm-standby.html#CASCADING-REPLICATION).
- replicas are cascading replicas, i.e. replicas replicating from a database server that itself is replicating from another database server.
+The main difference between a primary and standby cluster is that there is no primary instance on
+the standby: one PostgreSQL instance is reading in the database changes from either the backup
+repository or via streaming replication, while other instances are replicas of it.
+
+Any replicas created in the standby cluster are known as cascading replicas, i.e., replicas
+replicating from a database server that itself is replicating from another database server. More
+information about [cascading replication](https://www.postgresql.org/docs/current/warm-standby.html#CASCADING-REPLICATION)
+can be found in the PostgreSQL documentation.
 
 Because standby clusters are effectively read-only, certain functionality
-that involves making changes to a database, e.g. PostgreSQL user changes, is
-blocked while a cluster is in standby mode.  Additionally, backups and restores
-are blocked as well. While [pgBackRest](https://pgbackrest.org/) does support
+that involves making changes to a database, e.g., PostgreSQL user changes, is
+blocked while a cluster is in standby mode. Additionally, backups and restores
+are blocked as well. While [pgBackRest](https://pgbackrest.org/) supports
 backups from standbys, this requires direct access to the primary database,
 which cannot be done until the PostgreSQL Operator supports Kubernetes
 federation.
 
-## Creating a Standby PostgreSQL Cluster
+### Types of Standby Clusters
+There are three ways to deploy a standby cluster with the Postgres Operator.
 
-For creating a standby Postgres cluster with PGO, please see the [disaster recovery tutorial]({{< relref "tutorial/disaster-recovery.md" >}}#standby-cluster)
+#### Repo-based Standby
+
+A repo-based standby will connect to a pgBackRest repo stored in an external storage system
+(S3, GCS, Azure Blob Storage, or any other Kubernetes storage system that can span multiple
+clusters). The standby cluster will receive WAL files from the repo and will apply those to the
+database.
 
-## Promoting a Standby Cluster
+![PostgreSQL Operator High-Availability Overview](/images/postgresql-ha-multi-data-center.png)
+
+#### Streaming Standby
+
+A streaming standby relies on an authenticated connection to the primary over the network. The
+standby will receive WAL records directly from the primary as they are generated.
 
-There comes a time where a standby cluster needs to be promoted to an active
-cluster. Promoting a standby cluster means that a PostgreSQL instance within
-it will become a primary and start accepting both reads and writes. This has the
-net effect of pushing WAL (transaction archives) to the pgBackRest repository,
-so we need to take a few steps first to ensure we don't accidentally create a
-split-brain scenario.
+<!-- ![PostgreSQL Operator High-Availability Overview](/images/postgresql-ha-multi-data-center.png) -->
 
-First, if this is not a disaster scenario, you will want to "shutdown" the
-active PostgreSQL cluster. This can be done by setting:
+#### Streaming Standby with an External Repo
 
-```
-spec:
-  shutdown: true
-```
+You can also configure the operator to create a cluster that takes advantage of both methods. The
+standby cluster will bootstrap from the pgBackRest repo and continue to receive WAL files as they
+are pushed to the repo. The cluster will also directly connect to primary and receive WAL records
+as they are generated. Using a repo while also streaming ensures that your cluster will still be up
+to date with the pgBackRest repo if streaming falls behind.
+
+<!-- ![PostgreSQL Operator High-Availability Overview](/images/postgresql-ha-multi-data-center.png) -->
+
+For creating a standby Postgres cluster with PGO, please see the [disaster recovery tutorial]({{< relref "tutorial/disaster-recovery.md" >}}#standby-cluster)
 
-The effect of this is that all the Kubernetes Statefulsets and Deployments for this cluster are
-scaled to 0.
+### Promoting a Standby Cluster
 
-We can then promote the standby cluster using the following:
+There comes a time when a standby cluster needs to be promoted to an active cluster. Promoting a
+standby cluster means that the standby leader PostgreSQL instance will become a primary and start
+accepting both reads and writes. This has the net effect of pushing WAL (transaction archives) to
+the pgBackRest repository. Before doing this, we need to ensure we don't accidentally create a split-brain
+scenario.
 
-```
-spec:
-  standby:
-    enabled: false
-```
+If you are promoting the standby while the primary is still running, i.e., if this is not a disaster
+scenario, you will want to [shutdown the active PostgreSQL cluster]({{< relref "tutorial/administrative-tasks.md" >}}#shutdown).
 
-This command essentially removes the standby configuration from the Kubernetes
-cluster’s DCS, which triggers the promotion of the current standby leader to a
-primary PostgreSQL instance. You can view this promotion in the PostgreSQL
-standby leader's (soon to be active leader's) logs:
+The standby can be promoted once the primary is inactive, e.g., is either `shutdown` or failing.
+This process essentially removes the standby configuration from the Kubernetes cluster’s DCS, which
+triggers the promotion of the current standby leader to a primary PostgreSQL instance. You can view
+this promotion in the PostgreSQL standby leader's (soon to be active leader's) logs.
 
-With the standby cluster now promoted, the cluster with the original active
-PostgreSQL cluster can now be turned into a standby PostgreSQL cluster.  This is
-done by deleting and recreating all PVCs for the cluster and re-initializing it
-as a standby using the backup repository.  Being that this is a destructive action
-(i.e. data will only be retained if any Storage Classes and/or Persistent
+Once the standby cluster is promoted, the cluster with the original active
+PostgreSQL cluster can now be turned into a standby PostgreSQL cluster. This is
+done by deleting and recreating all PVCs for the cluster and reinitializing it
+as a standby using the backup repository. Being that this is a destructive action
+(i.e., data will only be retained if any Storage Classes and/or Persistent
 Volumes have the appropriate reclaim policy configured) a warning is shown
 when attempting to enable standby.
 
 The cluster will reinitialize from scratch as a standby, just
-like the original standby that was created above.  Therefore any transactions
-written to the original standby, should now replicate back to this cluster.
+like the original standby created above. Therefore any transactions
+written to the original standby should now replicate back to this cluster.

docs/content/references/crd.md

@@ -27,7 +27,21 @@ kubectl patch postgrescluster/hippo -n postgres-operator --type merge \
   --patch '{"spec":{"shutdown": true}}'
 ```
 
-Shutting down a cluster will terminate all of the active Pods. Any Statefulsets or Deployments are scaled to `0`.
+The effect of this is that all the Kubernetes workloads for this cluster are
+scaled to 0. You can verify this with the following command:
+
+```
+kubectl get deploy,sts,cronjob --selector=postgres-operator.crunchydata.com/cluster=hippo
+
+NAME                              READY   UP-TO-DATE   AVAILABLE   AGE
+deployment.apps/hippo-pgbouncer   0/0     0            0           1h
+
+NAME                             READY   AGE
+statefulset.apps/hippo-00-lwgx   0/0     1h
+
+NAME                             SCHEDULE   SUSPEND   ACTIVE
+cronjob.batch/hippo-repo1-full   @daily     True      0
+```
 
 To turn a Postgres cluster that is shut down back on, you can set `spec.shutdown` to `false`.