From e29f430b8d1f723270fa00dab96ed726b48f5460 Mon Sep 17 00:00:00 2001 From: tegwick Date: Fri, 27 Mar 2026 02:23:00 +0100 Subject: [PATCH] feat(s3): add gitea-db NetworkPolicies and Valkey values template - gitea-db-networkpolicies.yaml: allow-egress-kube-api and allow-ingress-from-cnpg-operator for gitea-db cluster pods; required because databases namespace has default-deny-all policy and existing allow rules only covered net-kingdom-pg - valkey-values.sops.yaml.template: standalone Valkey Helm values template with Gitea connection string documentation - .gitignore: allow *-networkpolicies.yaml alongside *-cluster.yaml Fixes gitea-db initdb failure (T03); gitea-db cluster now healthy. Co-Authored-By: Claude Sonnet 4.6 --- .gitignore | 1 + helm/gitea-db-networkpolicies.yaml | 43 +++++++++++++++++++++++++++ helm/valkey-values.sops.yaml.template | 21 +++++++++++++ 3 files changed, 65 insertions(+) create mode 100644 helm/gitea-db-networkpolicies.yaml create mode 100644 helm/valkey-values.sops.yaml.template diff --git a/.gitignore b/.gitignore index 533ca5b..9a4691a 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,7 @@ helm/*.yaml !helm/*.yaml.template # Kubernetes manifests (no secrets) are safe to commit !helm/*-cluster.yaml +!helm/*-networkpolicies.yaml # Kubeconfig *.kubeconfig diff --git a/helm/gitea-db-networkpolicies.yaml b/helm/gitea-db-networkpolicies.yaml new file mode 100644 index 0000000..0195230 --- /dev/null +++ b/helm/gitea-db-networkpolicies.yaml @@ -0,0 +1,43 @@ +# NetworkPolicies for gitea-db cnpg cluster +# The databases namespace has a default-deny-all policy; each cluster needs +# explicit egress-to-kube-api and ingress-from-cnpg-operator policies. +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-kube-api-gitea-db + namespace: databases +spec: + podSelector: + matchLabels: + cnpg.io/cluster: gitea-db + policyTypes: + - Egress + egress: + - ports: + - port: 6443 + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ingress-from-cnpg-operator-gitea-db + namespace: databases +spec: + podSelector: + matchLabels: + cnpg.io/cluster: gitea-db + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: cnpg-system + ports: + - port: 5432 + protocol: TCP + - port: 8000 + protocol: TCP + - port: 9187 + protocol: TCP diff --git a/helm/valkey-values.sops.yaml.template b/helm/valkey-values.sops.yaml.template new file mode 100644 index 0000000..7a7eee2 --- /dev/null +++ b/helm/valkey-values.sops.yaml.template @@ -0,0 +1,21 @@ +# Valkey standalone Helm values — S3 Platform Services +# Encrypt before committing: sops -e -i helm/valkey-values.sops.yaml +# Deploy: make valkey-deploy +# +# Gitea connection strings (update gitea-values.sops.yaml after deployment): +# cache: redis://:PASSWORD@valkey-master.platform.svc.cluster.local:6379/0 +# session: redis://:PASSWORD@valkey-master.platform.svc.cluster.local:6379/1 +# queue: redis://:PASSWORD@valkey-master.platform.svc.cluster.local:6379/2 +auth: + enabled: true + password: REPLACE_WITH_PASSWORD # encrypt with SOPS + +architecture: standalone # single node; upgrade to replication when RAM allows + +master: + persistence: + enabled: true + size: 2Gi + +replica: + replicaCount: 0 # standalone mode — no replicas