diff --git a/SCOPE.md b/SCOPE.md index 15a04de..7329103 100644 --- a/SCOPE.md +++ b/SCOPE.md @@ -14,14 +14,14 @@ S3 Platform Services layer of the Railiance OAS Stack — owns shared cluster se ## Core Idea -Railiance is structured as five independent repos per OAS Stack layer. This repo is S3 — the platform services that multiple applications share. PostgreSQL HA (repmgr + pgpool) and Valkey (Redis-compatible cache) are the first services being extracted here, moved from the Gitea subchart in S2 into standalone Helm releases under S3 so the boundary rule is properly enforced. +Railiance is structured as five independent repos per OAS Stack layer. This repo is S3 — the platform services that multiple applications share. The active migration is from Bitnami postgresql-ha (repmgr + pgpool, currently a Gitea subchart in S2) to CloudNative PG (cnpg operator, already deployed in the cnpg-system namespace) as the canonical database operator. Valkey cluster is also in scope for S3 extraction from S2. --- ## In Scope -- PostgreSQL HA (repmgr + pgpool) as a standalone Helm release -- Valkey / Redis-compatible cache as a standalone Helm release +- PostgreSQL via CloudNative PG operator (cnpg) — operator deployed, `databases` namespace active +- Valkey / Redis-compatible cache as a standalone Helm release (to be extracted from S2) - Secret management infrastructure - Identity services integration point (with net-kingdom) - Message brokers (RabbitMQ, similar) @@ -59,9 +59,9 @@ Railiance is structured as five independent repos per OAS Stack layer. This repo ## Current State - Status: active / emerging -- Implementation: PostgreSQL HA + Valkey extraction from S2 in progress (RAIL-PL-WP-0001) -- Stability: emerging — first platform workplan active -- Usage: shared database and cache services for all S5 applications +- Implementation: CloudNative PG operator (cnpg) deployed; `databases` namespace active; Valkey + legacy postgresql-ha extraction from S2 in progress (RAIL-PL-WP-0001) +- Stability: emerging — cnpg deployed but database cluster definitions not yet migrated from S2 +- Usage: will be the shared database and cache layer; currently cnpg-system + databases namespaces are live --- @@ -92,9 +92,9 @@ Railiance is structured as five independent repos per OAS Stack layer. This repo ```capability type: infrastructure -title: PostgreSQL HA (repmgr + pgpool) -description: Highly available PostgreSQL cluster using repmgr for replication and pgpool for connection pooling — shared database service for all platform applications. -keywords: [postgresql, postgres, ha, repmgr, pgpool, database, replication] +title: PostgreSQL via CloudNative PG (cnpg) +description: PostgreSQL database clusters managed by the CloudNative PG operator — shared database service for all platform applications. Operator deployed in cnpg-system namespace; database clusters defined in the databases namespace. +keywords: [postgresql, postgres, cnpg, cloudnative-pg, operator, database, kubernetes] ``` ```capability @@ -117,4 +117,4 @@ keywords: [minio, s3, object-storage, storage, artifacts, backup] - Start with: `CLAUDE.md` (session protocol, boundary rules) - Key files / directories: `workplans/RAIL-PL-WP-0001-platform-baseline.md`, `helm/` (platform Helm charts), `Makefile` -- Pre-conditions: railiance-cluster (S2) converged with k3s running; active backup on Nextcloud before migration steps +- Pre-conditions: railiance-cluster (S2) converged with k3s running; cluster backup verified before migration steps (`sudo make backup` in railiance-cluster) diff --git a/helm/gitea-db-networkpolicies.yaml b/helm/gitea-db-networkpolicies.yaml index 0195230..96312ff 100644 --- a/helm/gitea-db-networkpolicies.yaml +++ b/helm/gitea-db-networkpolicies.yaml @@ -1,6 +1,7 @@ # NetworkPolicies for gitea-db cnpg cluster # The databases namespace has a default-deny-all policy; each cluster needs -# explicit egress-to-kube-api and ingress-from-cnpg-operator policies. +# explicit egress-to-kube-api, ingress-from-cnpg-operator, and +# ingress-from-app-namespace policies. --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -41,3 +42,23 @@ spec: protocol: TCP - port: 9187 protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ingress-from-default-gitea-db + namespace: databases +spec: + podSelector: + matchLabels: + cnpg.io/cluster: gitea-db + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: default + ports: + - port: 5432 + protocol: TCP