Demo data sources — perimeter 3 customer-simulated Postgres¶
akko-demo-sources deploys four standalone Postgres StatefulSets in
the namespace akko-demo-sources. The chart is separate from the
AKKO umbrella by design : it represents what a customer would already
own (operational OLTP, IoT PostGIS, public-sector registry, ESG
geospatial) before AKKO is installed. AKKO Trino federates these
sources via the standard postgresql connector.
This is the third AKKO deployment perimeter (ADR-045) :
- AKKO core (namespace
akko) — platform itself - AKKO demo AD (namespace
akko-demo-ad) — LLDAP for SSO demo - AKKO demo sources (namespace
akko-demo-sources) — this chart
Instances¶
| Instance | Image | Domain | Trino catalog (ADR-046) |
|---|---|---|---|
akko-demo-sources-banking |
postgres:16-alpine | OLTP banking | postgres_oltp_banking |
akko-demo-sources-iot |
postgis/postgis:16-3.4-alpine | IoT spatial | postgres_postgis_iot |
akko-demo-sources-publicsector |
postgres:16-alpine | INSEE SIRENE | postgres_oltp_publicsector |
akko-demo-sources-esg |
postgis/postgis:16-3.4-alpine | Real estate / climate | postgres_postgis_esg |
The catalog naming convention (<engine>_<storage>_<domain>) makes
the cockpit Catalogs page self-explanatory : a prospect immediately
understands that postgres_postgis_iot is a Postgres instance with
PostGIS holding IoT data, federated through Trino.
Single source of truth for credentials¶
Both this chart and the AKKO umbrella read the four passwords from
global.demoSources.passwords.<domain>. The umbrella renders a mirror
Secret akko-demo-sources-passwords in the akko namespace so Trino
can resolve the env vars in its catalog .properties files
(Kubernetes does not allow cross-namespace secretKeyRef).
helm install akko-demo-sources helm/akko-demo-sources/ \
-n akko-demo-sources --create-namespace \
--set postgresPasswords.banking=<32-char random> \
--set postgresPasswords.iot=<32-char random> \
--set postgresPasswords.publicsector=<32-char random> \
--set postgresPasswords.esg=<32-char random>
The umbrella receives the SAME values via global.demoSources.passwords.
Drift between the chart-side credential and the Trino-side connection
password is structurally impossible.
Open-data shaped seeds (Sprint 62.3)¶
The companion DAGs in airflow/dags/akko_load_*.py (and the mirror
airflow/dags/sql/seed_*.sql) load synthetic data shaped to match
real open data sources :
- PaySim Kaggle (CC0) — 100 k transactions, 0.13 % fraud rate
- NOAA Global Hourly ISD — 50 stations × 30 days hourly + 1 k industrial assets across France
- INSEE SIRENE Open Licence 2.0 — 100 k synthetic French companies with SIRET, SIREN, NAF, weighted department distribution
- Copernicus CDS + ENTSO-E Transparency + DPE — 50 k real-estate listings + 50 k flood-risk scores + 60 k energy rows
A swap to the real CSV downloads is a one-line change per DAG. The SQL seeds are server-side equivalents that bootstrap the data in seconds for fresh clusters.
NetworkPolicy¶
The chart enforces a strict NetworkPolicy per instance :
- Ingress allowed from same-namespace pods + the AKKO platform
namespace (
global.akkoNamespace, defaultakko) - Egress limited to
kube-dnsonly (no public Internet, no Slack, nothing)
Smoke test¶
# Connection from inside Trino
TRINO_POD=$(kubectl -n akko get pod -l app.kubernetes.io/component=coordinator \
-l app.kubernetes.io/name=trino -o name | head -1)
kubectl -n akko exec $TRINO_POD -- \
trino --user alice --execute 'SHOW SCHEMAS FROM postgres_oltp_banking'
# expect: information_schema, pg_catalog, public