coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add vergabe role + vergabe_db database for RAILIANCE-WP-0002 T04

Browse Source 
First consumer of the shared apps-pg cluster: managed role vergabe in apps-pg-cluster.yaml plus Database CR vergabe-db in new helm/apps-pg-databases.yaml. .gitignore whitelists helm/*-databases.yaml. Workplan implementation notes from codex folded in. Live: Database CR applied=true, psql from vergabe-teilnahme ns returns PostgreSQL 16.13.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-05-19 15:47:06 +02:00
parent 39fc74ecac
commit 017934d479
4 changed files with 66 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -6,6 +6,7 @@ helm/*.yaml
# Kubernetes manifests (no secrets) are safe to commit # Kubernetes manifests (no secrets) are safe to commit
!helm/*-cluster.yaml !helm/*-cluster.yaml
!helm/*-networkpolicies.yaml !helm/*-networkpolicies.yaml
!helm/*-databases.yaml
# Kubeconfig # Kubeconfig
*.kubeconfig *.kubeconfig

12
helm/apps-pg-cluster.yaml
View File

@@ -34,8 +34,18 @@ spec:
owner: apps_admin owner: apps_admin
secret: secret:
name: apps-pg-credentials name: apps-pg-credentials
# Per-app PostgreSQL roles are added here (CNPG 1.28 role lifecycle is
# cluster-scoped — no standalone Role CR). The credential Secret for
# each role lives in the databases namespace and is mirrored into the
# consumer namespace by the consuming repo. See docs/apps-pg.md.
managed:
roles:
- name: vergabe # RAILIANCE-WP-0002 T04 (vergabe-teilnahme)
ensure: present
login: true
passwordSecret:
name: vergabe-app-credentials
# HA replica + connection pooler are deferred (RAILIANCE-WP-0003 Notes): # HA replica + connection pooler are deferred (RAILIANCE-WP-0003 Notes):
# managed:
# services: # services:
# additional: # additional:
# - selectorType: rw # - selectorType: rw

21
helm/apps-pg-databases.yaml Normal file
View File

@@ -0,0 +1,21 @@
---
# Per-consumer CNPG Database CRs against apps-pg.
# Each entry is a database in the shared cluster, owned by a per-app
# role declared in helm/apps-pg-cluster.yaml under spec.managed.roles.
# See docs/apps-pg.md for the onboarding contract.
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: vergabe-db # RAILIANCE-WP-0002 T04
namespace: databases
labels:
app.kubernetes.io/name: apps-pg
app.kubernetes.io/component: database-instance
railiance.io/layer: s3-platform
railiance.io/consumer: vergabe-teilnahme
spec:
cluster:
name: apps-pg
name: vergabe_db
owner: vergabe
ensure: present

36
workplans/RAILIANCE-WP-0003-apps-pg-shared-cluster.md
View File

@@ -77,10 +77,41 @@ standalone CNPG `Role` CR exists.
CNPG cluster therefore needs its own NetworkPolicy triplet CNPG cluster therefore needs its own NetworkPolicy triplet
(egress-to-kube-api, ingress-from-cnpg-operator, ingress-from-app-ns) (egress-to-kube-api, ingress-from-cnpg-operator, ingress-from-app-ns)
— pattern visible in `helm/gitea-db-networkpolicies.yaml`. — pattern visible in `helm/gitea-db-networkpolicies.yaml`.
- No `helm/apps-pg-*.yaml` artifacts exist yet. - `helm/apps-pg-cluster.yaml`, `helm/apps-pg-networkpolicies.yaml`,
`helm/apps-pg-secret.sops.yaml.template`, and `docs/apps-pg.md` are
present in the repo.
- Coordination message id: `768c18f4-8785-4108-a900-fa117eb8778f` - Coordination message id: `768c18f4-8785-4108-a900-fa117eb8778f`
(state-hub thread). (state-hub thread).
## Implementation Notes
Completed on 2026-05-19.
- CNPG operator is `ghcr.io/cloudnative-pg/cloudnative-pg:1.28.1`.
- `clusters.postgresql.cnpg.io` and `databases.postgresql.cnpg.io` CRDs
are present; `roles.postgresql.cnpg.io` is not present, so role
onboarding remains platform-administered through managed roles or a
controlled SQL workflow.
- `local-path` is the default StorageClass. The single K3s node reports
no memory, disk, or PID pressure; allocatable ephemeral storage is
about 97.7 GB and memory is about 3.8 GiB. Existing CNPG PVC footprint
before `apps-pg` was two 10Gi PVCs (`gitea-db-1`,
`net-kingdom-pg-1`).
- `databases` exists with `default-deny-all`; `cnpg-system` has the
required `kubernetes.io/metadata.name=cnpg-system` namespace label.
- The live CNPG CRD rejected `spec.postgresql.version`; the deployed
`apps-pg` manifest therefore pins PostgreSQL 16 with
`imageName: ghcr.io/cloudnative-pg/postgresql:16`.
- `apps-pg` is deployed in `databases`, reports `Cluster in healthy
state`, and has primary `apps-pg-1`.
- Services `apps-pg-rw` and `apps-pg-ro` exist. With one instance,
`apps-pg-ro` is present but has no replica endpoint until HA is added.
- A disposable namespace labeled
`railiance.io/postgres-client=apps-pg` successfully connected to
`apps-pg-rw.databases.svc.cluster.local:5432/apps_meta` as
`apps_admin`; the temporary namespace and copied smoke-test secret
were deleted immediately after the check.
## Safety Contract ## Safety Contract
- Do not commit plaintext credentials. Bootstrap secret is a one-time - Do not commit plaintext credentials. Bootstrap secret is a one-time
@@ -221,8 +252,7 @@ metadata:
railiance.io/role: shared-apps-database railiance.io/role: shared-apps-database
spec: spec:
instances: 1 # bump when node RAM > 8GB instances: 1 # bump when node RAM > 8GB
postgresql: imageName: ghcr.io/cloudnative-pg/postgresql:16
version: "16"
storage: storage:
size: 10Gi size: 10Gi
bootstrap: bootstrap: