generated from coulomb/repo-seed
Bernd Worsch
6d25d088d7
- Add encrypt-secrets.sh / decrypt-secrets.sh: age-based secrets workflow replaces KeePassXC dependency; encrypted .env.age files committed to repo - Add bootstrap/secrets.enc/: all component secrets encrypted to age pubkey - Fix .gitignore: allow secrets.enc/**/*.age while blocking plaintext - Fix verify-t02.sh: update netpol names for Authelia+LLDAP+KeyCape stack - Fix verify-t03.sh: remove keycloak_db/role checks; fix ((PASS++)) set-e bug - Update postgresql/cluster.yaml: drop keycloak_db, bootstrap privacyidea_db only - Update postgresql/create-secrets.sh: remove keycloak secret - Fix netpol-databases.yaml: add port 8000 for CNPG instance manager HTTP API - T02 COMPLETE: namespaces, network policies, cert-manager issuers applied - T03 COMPLETE: CNPG operator installed, net-kingdom-pg cluster healthy Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
90 lines
3.8 KiB
YAML
90 lines
3.8 KiB
YAML
# CloudNativePG Cluster — net-kingdom-pg
|
|
#
|
|
# Creates a PostgreSQL 16 cluster with one application database:
|
|
# privacyidea_db (owner: privacyidea)
|
|
#
|
|
# Note: keycloak_db removed — Keycloak replaced by Authelia+LLDAP+KeyCape (T05).
|
|
#
|
|
# Prerequisites:
|
|
# - CloudNativePG operator installed (see README.md)
|
|
# - K8s Secrets created (see create-secrets.sh)
|
|
# - databases namespace exists (T02)
|
|
#
|
|
# Adjust `instances` before production: 1 for dev/staging, 3 for HA.
|
|
# Adjust `storage.size` to match available PVC capacity.
|
|
apiVersion: postgresql.cnpg.io/v1
|
|
kind: Cluster
|
|
metadata:
|
|
name: net-kingdom-pg
|
|
namespace: databases
|
|
labels:
|
|
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
|
net-kingdom/component: databases
|
|
spec:
|
|
# ── Instance count ───────────────────────────────────────────────────────────
|
|
# 1 = dev/single-node. Increase to 3 for ThreePhoenix HA production deployment.
|
|
instances: 1
|
|
|
|
imageName: ghcr.io/cloudnative-pg/postgresql:16
|
|
|
|
# ── Bootstrap ────────────────────────────────────────────────────────────────
|
|
# Creates privacyidea_db with owner privacyidea.
|
|
# managed.roles below reconciles the password continuously from K8s Secret.
|
|
bootstrap:
|
|
initdb:
|
|
database: privacyidea_db
|
|
owner: privacyidea
|
|
secret:
|
|
name: net-kingdom-pg-privacyidea-app
|
|
|
|
# ── Managed roles ────────────────────────────────────────────────────────────
|
|
# Operator reconciles the password continuously from K8s Secret.
|
|
managed:
|
|
roles:
|
|
- name: privacyidea
|
|
ensure: present
|
|
login: true
|
|
passwordSecret:
|
|
name: net-kingdom-pg-privacyidea-app
|
|
|
|
# ── Storage ──────────────────────────────────────────────────────────────────
|
|
storage:
|
|
size: 10Gi
|
|
# storageClass: local-path # uncomment to pin StorageClass explicitly
|
|
|
|
# ── WAL archiving (backup prerequisite) ─────────────────────────────────────
|
|
# Uncomment the backup section when object storage is available (MinIO/S3).
|
|
# WAL archiving must be enabled here before ScheduledBackup will function.
|
|
#
|
|
# backup:
|
|
# barmanObjectStore:
|
|
# destinationPath: "s3://net-kingdom-backups/postgres/"
|
|
# endpointURL: "http://minio.minio-system.svc.cluster.local:9000"
|
|
# s3Credentials:
|
|
# accessKeyId:
|
|
# name: net-kingdom-pg-backup-s3
|
|
# key: ACCESS_KEY_ID
|
|
# secretAccessKey:
|
|
# name: net-kingdom-pg-backup-s3
|
|
# key: SECRET_ACCESS_KEY
|
|
# wal:
|
|
# compression: gzip
|
|
# data:
|
|
# compression: gzip
|
|
# immediateCheckpoint: true
|
|
# retentionPolicy: "7d"
|
|
|
|
# ── Resource limits ──────────────────────────────────────────────────────────
|
|
resources:
|
|
requests:
|
|
memory: "256Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1Gi"
|
|
cpu: "1000m"
|
|
|
|
# ── Monitoring ───────────────────────────────────────────────────────────────
|
|
# Set enablePodMonitor: true when Prometheus / kube-prometheus-stack is deployed.
|
|
monitoring:
|
|
enablePodMonitor: false
|