Author the repository's INTENT: the shared platform-services layer — the
dependable, backed-up, secure foundation of stateful services (data,
cache, secret custody, object storage, messaging) that consumers build on,
behind stable interfaces and independently evolvable underneath.
Intent is kept self-coherent and reference-free (no external project or
dependency-product references), describing this repository's own purpose
at the abstract, stable level.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
First consumer of the shared apps-pg cluster: managed role vergabe in apps-pg-cluster.yaml plus Database CR vergabe-db in new helm/apps-pg-databases.yaml. .gitignore whitelists helm/*-databases.yaml. Workplan implementation notes from codex folded in. Live: Database CR applied=true, psql from vergabe-teilnahme ns returns PostgreSQL 16.13.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Marks T01-T06 done and the workplan as finished. apps-pg is in 'Cluster in healthy state', smoke-tested via labeled-ns psql, documented in docs/apps-pg.md, and the platform team has replied on the coordination thread (msg dd119862) so RAILIANCE-WP-0002 T04 can proceed.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds the shared CloudNativePG cluster apps-pg for S5 application
databases:
- helm/apps-pg-cluster.yaml — Cluster CR, PG 16, 1 instance, 10Gi
- helm/apps-pg-networkpolicies.yaml — egress-to-kube-api +
ingress-from-cnpg-operator + label-based ingress opt-in
(railiance.io/postgres-client=apps-pg)
- helm/apps-pg-secret.sops.yaml.template — bootstrap credential
template (encrypt with SOPS before committing the real .sops.yaml)
- Makefile targets: apps-pg-deploy, apps-pg-status (with cnpg-plugin
fallback), apps-pg-shell (apps_admin/apps_meta), apps-pg-logs
- docs/apps-pg.md (codex) — consumer onboarding contract clarifying
the CNPG 1.28 role/database lifecycle boundary
Also fixes helm/gitea-db-cluster.yaml: spec.postgresql.version is not
a valid CNPG v1 field (strict decoding rejects it). Replaced with
spec.imageName matching the live cluster (postgresql:18.1-system-trixie)
so make db-deploy is a no-op instead of an apply rejection.
Live state at commit time: Cluster apps-pg in healthy state, primary
apps-pg-1 Running, smoke-tested via psql from a labeled temp ns.
Co-Authored-By: codex <noreply@openai.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
6-task plan to provision a shared CloudNative PG cluster apps-pg in
the databases namespace, with NetworkPolicies that use a label-based
consumer opt-in (railiance.io/postgres-client=apps-pg) instead of
the per-namespace allowlist gitea-db uses.
Responds to coordination message 768c18f4 from railiance-apps and
unblocks RAILIANCE-WP-0002 T04 (vergabe-teilnahme role+db creation).
Keeps platform agnostic of individual apps per ADR-003: per-app
Database CRs and credential Secrets are owned by the consuming repos.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add allow-ingress-from-default-gitea-db NetworkPolicy so Gitea pods
in default namespace can connect to gitea-db cnpg cluster on 5432
- Update SCOPE.md to reflect cnpg as the canonical DB operator (postgresql-ha
subchart fully decommissioned as of this session)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
WP-0001 targeted Bitnami postgresql-ha; CloudNative PG (cnpg) is the
deployed operator. Migration path now tracked in RAIL-HO-WP-0004-T03–T05.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Lays out the S3 platform layer foundation for RAIL-PL-WP-0001 T01:
- .sops.yaml: age encryption policy (shared key, *.sops.yaml pattern)
- .gitignore: prevents accidental commit of decrypted values files
- Makefile: pg-deploy, pg-status, pg-pgpool-check, valkey-deploy,
valkey-status, backup targets with KUBECONFIG/HELM wiring
- helm/postgresql-ha-values.yaml.template: annotated values schema
with CHANGEME_ placeholders; includes pgpool-password fix from
RAIL-BS-WP-0003; notes on single-node vs ThreePhoenix scaling
- docs/postgresql-ha.md: connection strings, DB creation, password
rotation, pgpool-password critical note, HA failover test ref,
ThreePhoenix scaling path
To complete T01: fill in CHANGEME_ values, encrypt with sops -e -i,
then run make pg-deploy.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
