feat(sso-mfa): T03 PostgreSQL manifests (NK-WP-0001-T03)

CloudNativePG Cluster CR (net-kingdom-pg, PostgreSQL 16) with two application databases: keycloak_db (owner: keycloak) and privacyidea_db (owner: privacyidea). Passwords managed continuously via managed.roles. WAL archiving section stubbed and commented; activate when object storage is available. ScheduledBackup CR included (daily 02:00 UTC, 7d retention). Also: sync workplan status for T01 (Phase 0a done), T02 (manifests done), T03 (manifests done, restore drill pending); close NK-WP-0002. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-05 09:22:13 +01:00
parent 2ebb231f19
commit 8929bf65bc
7 changed files with 533 additions and 7 deletions
--- a/sso-mfa/k8s/postgresql/cluster.yaml
+++ b/sso-mfa/k8s/postgresql/cluster.yaml
@@ -0,0 +1,102 @@
+# CloudNativePG Cluster — net-kingdom-pg
+#
+# Creates a PostgreSQL 16 cluster with two application databases:
+#   keycloak_db   (owner: keycloak)
+#   privacyidea_db (owner: privacyidea)
+#
+# Prerequisites:
+#   - CloudNativePG operator installed (see README.md)
+#   - K8s Secrets created (see create-secrets.sh)
+#   - databases namespace exists (T02)
+#
+# Adjust `instances` before production: 1 for dev/staging, 3 for HA.
+# Adjust `storage.size` to match available PVC capacity.
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: net-kingdom-pg
+  namespace: databases
+  labels:
+    app.kubernetes.io/part-of: net-kingdom-sso-mfa
+    net-kingdom/component: databases
+spec:
+  # ── Instance count ───────────────────────────────────────────────────────────
+  # 1 = dev/single-node. Increase to 3 for ThreePhoenix HA production deployment.
+  instances: 1
+
+  imageName: ghcr.io/cloudnative-pg/postgresql:16
+
+  # ── Bootstrap ────────────────────────────────────────────────────────────────
+  # Creates keycloak_db with owner keycloak. privacyidea_db and the
+  # privacyidea role are created in postInitSQL (runs as superuser).
+  # managed.roles below reconciles passwords for both users continuously.
+  bootstrap:
+    initdb:
+      database: keycloak_db
+      owner: keycloak
+      secret:
+        name: net-kingdom-pg-keycloak-app
+      postInitSQL:
+        - "CREATE ROLE privacyidea WITH LOGIN;"
+        - "CREATE DATABASE privacyidea_db OWNER privacyidea;"
+        - "REVOKE CONNECT ON DATABASE privacyidea_db FROM PUBLIC;"
+        - "REVOKE CONNECT ON DATABASE keycloak_db FROM PUBLIC;"
+        - "GRANT CONNECT ON DATABASE keycloak_db TO keycloak;"
+        - "GRANT CONNECT ON DATABASE privacyidea_db TO privacyidea;"
+
+  # ── Managed roles ────────────────────────────────────────────────────────────
+  # Operator reconciles these passwords continuously from K8s Secrets.
+  # This ensures password rotation in KeePassXC/Vault propagates to PG.
+  managed:
+    roles:
+      - name: keycloak
+        ensure: present
+        login: true
+        passwordSecret:
+          name: net-kingdom-pg-keycloak-app
+      - name: privacyidea
+        ensure: present
+        login: true
+        passwordSecret:
+          name: net-kingdom-pg-privacyidea-app
+
+  # ── Storage ──────────────────────────────────────────────────────────────────
+  storage:
+    size: 10Gi
+    # storageClass: local-path   # uncomment to pin StorageClass explicitly
+
+  # ── WAL archiving (backup prerequisite) ─────────────────────────────────────
+  # Uncomment the backup section when object storage is available (MinIO/S3).
+  # WAL archiving must be enabled here before ScheduledBackup will function.
+  #
+  # backup:
+  #   barmanObjectStore:
+  #     destinationPath: "s3://net-kingdom-backups/postgres/"
+  #     endpointURL: "http://minio.minio-system.svc.cluster.local:9000"
+  #     s3Credentials:
+  #       accessKeyId:
+  #         name: net-kingdom-pg-backup-s3
+  #         key: ACCESS_KEY_ID
+  #       secretAccessKey:
+  #         name: net-kingdom-pg-backup-s3
+  #         key: SECRET_ACCESS_KEY
+  #     wal:
+  #       compression: gzip
+  #     data:
+  #       compression: gzip
+  #       immediateCheckpoint: true
+  #   retentionPolicy: "7d"
+
+  # ── Resource limits ──────────────────────────────────────────────────────────
+  resources:
+    requests:
+      memory: "256Mi"
+      cpu: "100m"
+    limits:
+      memory: "1Gi"
+      cpu: "1000m"
+
+  # ── Monitoring ───────────────────────────────────────────────────────────────
+  # Set enablePodMonitor: true when Prometheus / kube-prometheus-stack is deployed.
+  monitoring:
+    enablePodMonitor: false