feat(sso-mfa): T03 PostgreSQL manifests (NK-WP-0001-T03)

CloudNativePG Cluster CR (net-kingdom-pg, PostgreSQL 16) with two
application databases: keycloak_db (owner: keycloak) and privacyidea_db
(owner: privacyidea). Passwords managed continuously via managed.roles.
WAL archiving section stubbed and commented; activate when object storage
is available. ScheduledBackup CR included (daily 02:00 UTC, 7d retention).

Also: sync workplan status for T01 (Phase 0a done), T02 (manifests done),
T03 (manifests done, restore drill pending); close NK-WP-0002.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-05 09:22:13 +01:00
parent 2ebb231f19
commit 8929bf65bc
7 changed files with 533 additions and 7 deletions

View File

@@ -0,0 +1,26 @@
# CloudNativePG ScheduledBackup — net-kingdom-pg
#
# PREREQUISITE: WAL archiving must be enabled in cluster.yaml (backup.barmanObjectStore
# section) before this ScheduledBackup will succeed. Uncomment cluster.yaml backup
# block first, apply it, confirm WAL archiving is healthy, then apply this file.
#
# Schedule: daily at 02:00 UTC, keeping 7 daily backups.
# Adjust schedule and retentionPolicy to match your RPO/RTO requirements.
#
# See T03 restore drill procedure in README.md before marking T03 done.
apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
name: net-kingdom-pg-daily
namespace: databases
labels:
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: databases
spec:
# Daily at 02:00 UTC
schedule: "0 0 2 * * *" # CloudNativePG uses Go cron format: seconds minutes hours dom month dow
backupOwnerReference: self
cluster:
name: net-kingdom-pg
# Immediate: if the schedule is missed (e.g. pod restart), take a backup immediately
immediate: true