RAILIANCE-WP-0003 T02-T06: provision shared apps-pg cnpg cluster
Adds the shared CloudNativePG cluster apps-pg for S5 application databases: - helm/apps-pg-cluster.yaml — Cluster CR, PG 16, 1 instance, 10Gi - helm/apps-pg-networkpolicies.yaml — egress-to-kube-api + ingress-from-cnpg-operator + label-based ingress opt-in (railiance.io/postgres-client=apps-pg) - helm/apps-pg-secret.sops.yaml.template — bootstrap credential template (encrypt with SOPS before committing the real .sops.yaml) - Makefile targets: apps-pg-deploy, apps-pg-status (with cnpg-plugin fallback), apps-pg-shell (apps_admin/apps_meta), apps-pg-logs - docs/apps-pg.md (codex) — consumer onboarding contract clarifying the CNPG 1.28 role/database lifecycle boundary Also fixes helm/gitea-db-cluster.yaml: spec.postgresql.version is not a valid CNPG v1 field (strict decoding rejects it). Replaced with spec.imageName matching the live cluster (postgresql:18.1-system-trixie) so make db-deploy is a no-op instead of an apply rejection. Live state at commit time: Cluster apps-pg in healthy state, primary apps-pg-1 Running, smoke-tested via psql from a labeled temp ns. Co-Authored-By: codex <noreply@openai.com> Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
71
helm/apps-pg-networkpolicies.yaml
Normal file
71
helm/apps-pg-networkpolicies.yaml
Normal file
@@ -0,0 +1,71 @@
|
||||
# NetworkPolicies for the shared apps-pg cnpg cluster (RAILIANCE-WP-0003).
|
||||
# The databases namespace has a default-deny-all policy; each cluster
|
||||
# needs explicit egress-to-kube-api, ingress-from-cnpg-operator, and
|
||||
# ingress-from-app-namespace policies.
|
||||
#
|
||||
# Unlike gitea-db (which hard-codes `default` as the consumer ns), this
|
||||
# triplet uses a label-based opt-in: any namespace carrying the label
|
||||
# `railiance.io/postgres-client=apps-pg` may connect on TCP/5432. The
|
||||
# shared cluster cannot know its consumer namespaces in advance, so it
|
||||
# expects each consumer to add this label as part of its onboarding.
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-egress-kube-api-apps-pg
|
||||
namespace: databases
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
cnpg.io/cluster: apps-pg
|
||||
policyTypes:
|
||||
- Egress
|
||||
egress:
|
||||
- ports:
|
||||
- port: 6443
|
||||
protocol: TCP
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress-from-cnpg-operator-apps-pg
|
||||
namespace: databases
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
cnpg.io/cluster: apps-pg
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: cnpg-system
|
||||
ports:
|
||||
- port: 5432
|
||||
protocol: TCP
|
||||
- port: 8000
|
||||
protocol: TCP
|
||||
- port: 9187
|
||||
protocol: TCP
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress-from-app-namespaces-apps-pg
|
||||
namespace: databases
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
cnpg.io/cluster: apps-pg
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
railiance.io/postgres-client: apps-pg
|
||||
podSelector: {}
|
||||
ports:
|
||||
- port: 5432
|
||||
protocol: TCP
|
||||
Reference in New Issue
Block a user