net-kingdom/sso-mfa/k8s/postgresql/cluster.yaml

# CloudNativePG Cluster — net-kingdom-pg
#
# Creates a PostgreSQL 16 cluster with two application databases:
#   keycloak_db   (owner: keycloak)
#   privacyidea_db (owner: privacyidea)
#
# Prerequisites:
#   - CloudNativePG operator installed (see README.md)
#   - K8s Secrets created (see create-secrets.sh)
#   - databases namespace exists (T02)
#
# Adjust `instances` before production: 1 for dev/staging, 3 for HA.
# Adjust `storage.size` to match available PVC capacity.
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: net-kingdom-pg
  namespace: databases
  labels:
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: databases
spec:
  # ── Instance count ───────────────────────────────────────────────────────────
  # 1 = dev/single-node. Increase to 3 for ThreePhoenix HA production deployment.
  instances: 1

  imageName: ghcr.io/cloudnative-pg/postgresql:16

  # ── Bootstrap ────────────────────────────────────────────────────────────────
  # Creates keycloak_db with owner keycloak. privacyidea_db and the
  # privacyidea role are created in postInitSQL (runs as superuser).
  # managed.roles below reconciles passwords for both users continuously.
  bootstrap:
    initdb:
      database: keycloak_db
      owner: keycloak
      secret:
        name: net-kingdom-pg-keycloak-app
      postInitSQL:
        - "CREATE ROLE privacyidea WITH LOGIN;"
        - "CREATE DATABASE privacyidea_db OWNER privacyidea;"
        - "REVOKE CONNECT ON DATABASE privacyidea_db FROM PUBLIC;"
        - "REVOKE CONNECT ON DATABASE keycloak_db FROM PUBLIC;"
        - "GRANT CONNECT ON DATABASE keycloak_db TO keycloak;"
        - "GRANT CONNECT ON DATABASE privacyidea_db TO privacyidea;"

  # ── Managed roles ────────────────────────────────────────────────────────────
  # Operator reconciles these passwords continuously from K8s Secrets.
  # This ensures password rotation in KeePassXC/Vault propagates to PG.
  managed:
    roles:
      - name: keycloak
        ensure: present
        login: true
        passwordSecret:
          name: net-kingdom-pg-keycloak-app
      - name: privacyidea
        ensure: present
        login: true
        passwordSecret:
          name: net-kingdom-pg-privacyidea-app

  # ── Storage ──────────────────────────────────────────────────────────────────
  storage:
    size: 10Gi
    # storageClass: local-path   # uncomment to pin StorageClass explicitly

  # ── WAL archiving (backup prerequisite) ─────────────────────────────────────
  # Uncomment the backup section when object storage is available (MinIO/S3).
  # WAL archiving must be enabled here before ScheduledBackup will function.
  #
  # backup:
  #   barmanObjectStore:
  #     destinationPath: "s3://net-kingdom-backups/postgres/"
  #     endpointURL: "http://minio.minio-system.svc.cluster.local:9000"
  #     s3Credentials:
  #       accessKeyId:
  #         name: net-kingdom-pg-backup-s3
  #         key: ACCESS_KEY_ID
  #       secretAccessKey:
  #         name: net-kingdom-pg-backup-s3
  #         key: SECRET_ACCESS_KEY
  #     wal:
  #       compression: gzip
  #     data:
  #       compression: gzip
  #       immediateCheckpoint: true
  #   retentionPolicy: "7d"

  # ── Resource limits ──────────────────────────────────────────────────────────
  resources:
    requests:
      memory: "256Mi"
      cpu: "100m"
    limits:
      memory: "1Gi"
      cpu: "1000m"

  # ── Monitoring ───────────────────────────────────────────────────────────────
  # Set enablePodMonitor: true when Prometheus / kube-prometheus-stack is deployed.
  monitoring:
    enablePodMonitor: false