feat(s3): add gitea-db NetworkPolicies and Valkey values template

- gitea-db-networkpolicies.yaml: allow-egress-kube-api and allow-ingress-from-cnpg-operator for gitea-db cluster pods; required because databases namespace has default-deny-all policy and existing allow rules only covered net-kingdom-pg - valkey-values.sops.yaml.template: standalone Valkey Helm values template with Gitea connection string documentation - .gitignore: allow *-networkpolicies.yaml alongside *-cluster.yaml Fixes gitea-db initdb failure (T03); gitea-db cluster now healthy. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-27 02:23:00 +01:00
parent 2a4312643d
commit e29f430b8d
3 changed files with 65 additions and 0 deletions
--- a/helm/gitea-db-networkpolicies.yaml
+++ b/helm/gitea-db-networkpolicies.yaml
@@ -0,0 +1,43 @@
+# NetworkPolicies for gitea-db cnpg cluster
+# The databases namespace has a default-deny-all policy; each cluster needs
+# explicit egress-to-kube-api and ingress-from-cnpg-operator policies.
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-kube-api-gitea-db
+  namespace: databases
+spec:
+  podSelector:
+    matchLabels:
+      cnpg.io/cluster: gitea-db
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - port: 6443
+          protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-from-cnpg-operator-gitea-db
+  namespace: databases
+spec:
+  podSelector:
+    matchLabels:
+      cnpg.io/cluster: gitea-db
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: cnpg-system
+      ports:
+        - port: 5432
+          protocol: TCP
+        - port: 8000
+          protocol: TCP
+        - port: 9187
+          protocol: TCP
--- a/helm/valkey-values.sops.yaml.template
+++ b/helm/valkey-values.sops.yaml.template
@@ -0,0 +1,21 @@
+# Valkey standalone Helm values — S3 Platform Services
+# Encrypt before committing: sops -e -i helm/valkey-values.sops.yaml
+# Deploy: make valkey-deploy
+#
+# Gitea connection strings (update gitea-values.sops.yaml after deployment):
+#   cache:    redis://:PASSWORD@valkey-master.platform.svc.cluster.local:6379/0
+#   session:  redis://:PASSWORD@valkey-master.platform.svc.cluster.local:6379/1
+#   queue:    redis://:PASSWORD@valkey-master.platform.svc.cluster.local:6379/2
+auth:
+  enabled: true
+  password: REPLACE_WITH_PASSWORD   # encrypt with SOPS
+
+architecture: standalone   # single node; upgrade to replication when RAM allows
+
+master:
+  persistence:
+    enabled: true
+    size: 2Gi
+
+replica:
+  replicaCount: 0   # standalone mode — no replicas