feat(gitea-db): add NetworkPolicy for app-namespace ingress; update SCOPE
- Add allow-ingress-from-default-gitea-db NetworkPolicy so Gitea pods in default namespace can connect to gitea-db cnpg cluster on 5432 - Update SCOPE.md to reflect cnpg as the canonical DB operator (postgresql-ha subchart fully decommissioned as of this session) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
20
SCOPE.md
20
SCOPE.md
@@ -14,14 +14,14 @@ S3 Platform Services layer of the Railiance OAS Stack — owns shared cluster se
|
||||
|
||||
## Core Idea
|
||||
|
||||
Railiance is structured as five independent repos per OAS Stack layer. This repo is S3 — the platform services that multiple applications share. PostgreSQL HA (repmgr + pgpool) and Valkey (Redis-compatible cache) are the first services being extracted here, moved from the Gitea subchart in S2 into standalone Helm releases under S3 so the boundary rule is properly enforced.
|
||||
Railiance is structured as five independent repos per OAS Stack layer. This repo is S3 — the platform services that multiple applications share. The active migration is from Bitnami postgresql-ha (repmgr + pgpool, currently a Gitea subchart in S2) to CloudNative PG (cnpg operator, already deployed in the cnpg-system namespace) as the canonical database operator. Valkey cluster is also in scope for S3 extraction from S2.
|
||||
|
||||
---
|
||||
|
||||
## In Scope
|
||||
|
||||
- PostgreSQL HA (repmgr + pgpool) as a standalone Helm release
|
||||
- Valkey / Redis-compatible cache as a standalone Helm release
|
||||
- PostgreSQL via CloudNative PG operator (cnpg) — operator deployed, `databases` namespace active
|
||||
- Valkey / Redis-compatible cache as a standalone Helm release (to be extracted from S2)
|
||||
- Secret management infrastructure
|
||||
- Identity services integration point (with net-kingdom)
|
||||
- Message brokers (RabbitMQ, similar)
|
||||
@@ -59,9 +59,9 @@ Railiance is structured as five independent repos per OAS Stack layer. This repo
|
||||
## Current State
|
||||
|
||||
- Status: active / emerging
|
||||
- Implementation: PostgreSQL HA + Valkey extraction from S2 in progress (RAIL-PL-WP-0001)
|
||||
- Stability: emerging — first platform workplan active
|
||||
- Usage: shared database and cache services for all S5 applications
|
||||
- Implementation: CloudNative PG operator (cnpg) deployed; `databases` namespace active; Valkey + legacy postgresql-ha extraction from S2 in progress (RAIL-PL-WP-0001)
|
||||
- Stability: emerging — cnpg deployed but database cluster definitions not yet migrated from S2
|
||||
- Usage: will be the shared database and cache layer; currently cnpg-system + databases namespaces are live
|
||||
|
||||
---
|
||||
|
||||
@@ -92,9 +92,9 @@ Railiance is structured as five independent repos per OAS Stack layer. This repo
|
||||
|
||||
```capability
|
||||
type: infrastructure
|
||||
title: PostgreSQL HA (repmgr + pgpool)
|
||||
description: Highly available PostgreSQL cluster using repmgr for replication and pgpool for connection pooling — shared database service for all platform applications.
|
||||
keywords: [postgresql, postgres, ha, repmgr, pgpool, database, replication]
|
||||
title: PostgreSQL via CloudNative PG (cnpg)
|
||||
description: PostgreSQL database clusters managed by the CloudNative PG operator — shared database service for all platform applications. Operator deployed in cnpg-system namespace; database clusters defined in the databases namespace.
|
||||
keywords: [postgresql, postgres, cnpg, cloudnative-pg, operator, database, kubernetes]
|
||||
```
|
||||
|
||||
```capability
|
||||
@@ -117,4 +117,4 @@ keywords: [minio, s3, object-storage, storage, artifacts, backup]
|
||||
|
||||
- Start with: `CLAUDE.md` (session protocol, boundary rules)
|
||||
- Key files / directories: `workplans/RAIL-PL-WP-0001-platform-baseline.md`, `helm/` (platform Helm charts), `Makefile`
|
||||
- Pre-conditions: railiance-cluster (S2) converged with k3s running; active backup on Nextcloud before migration steps
|
||||
- Pre-conditions: railiance-cluster (S2) converged with k3s running; cluster backup verified before migration steps (`sudo make backup` in railiance-cluster)
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
# NetworkPolicies for gitea-db cnpg cluster
|
||||
# The databases namespace has a default-deny-all policy; each cluster needs
|
||||
# explicit egress-to-kube-api and ingress-from-cnpg-operator policies.
|
||||
# explicit egress-to-kube-api, ingress-from-cnpg-operator, and
|
||||
# ingress-from-app-namespace policies.
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
@@ -41,3 +42,23 @@ spec:
|
||||
protocol: TCP
|
||||
- port: 9187
|
||||
protocol: TCP
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress-from-default-gitea-db
|
||||
namespace: databases
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
cnpg.io/cluster: gitea-db
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: default
|
||||
ports:
|
||||
- port: 5432
|
||||
protocol: TCP
|
||||
|
||||
Reference in New Issue
Block a user