SHELL := /usr/bin/env bash .DEFAULT_GOAL := help KUBECONFIG ?= $(HOME)/.kube/config-hosteurope KUBECTL := kubectl --kubeconfig=$(KUBECONFIG) HELM := helm --kubeconfig=$(KUBECONFIG) NAMESPACE := platform PG_CHART_VERSION ?= 16.2.2 VALKEY_CHART_VERSION ?= 2.x OPENBAO_CHART_VERSION ?= 0.28.2 OPENBAO_NAMESPACE ?= openbao OPENBAO_RELEASE ?= openbao OPENBAO_VALUES ?= helm/openbao-values.yaml ##@ CloudNative PG (cnpg) — primary database operator db-deploy: ## Apply Gitea cnpg Cluster (creates gitea-db in databases namespace) $(KUBECTL) apply -f helm/gitea-db-cluster.yaml db-status: ## Show cnpg cluster health $(KUBECTL) cnpg status gitea-db -n databases 2>/dev/null || \ $(KUBECTL) get cluster gitea-db -n databases -o wide db-shell: ## Open psql shell on gitea-db primary $(KUBECTL) cnpg psql gitea-db -n databases -- -U gitea gitea db-logs: ## Tail gitea-db primary logs $(KUBECTL) logs -n databases -l cnpg.io/cluster=gitea-db -f --tail=50 ##@ PostgreSQL HA (legacy — superseded by cnpg above) pg-deploy: ## Deploy / upgrade standalone PostgreSQL HA to platform namespace $(KUBECTL) create namespace $(NAMESPACE) --dry-run=client -o yaml | $(KUBECTL) apply -f - $(HELM) repo add bitnami https://charts.bitnami.com/bitnami --force-update $(HELM) upgrade --install postgresql-ha bitnami/postgresql-ha \ --version $(PG_CHART_VERSION) \ --namespace $(NAMESPACE) \ -f <(sops -d helm/postgresql-ha-values.sops.yaml) \ --wait --timeout 5m pg-status: ## Check PostgreSQL HA pod status $(KUBECTL) get pods -n $(NAMESPACE) -l app.kubernetes.io/name=postgresql-ha pg-pgpool-check: ## Verify pgpool-password secret key is present (see RAIL-BS-WP-0003) @SECRET=$$($(KUBECTL) get secret -n $(NAMESPACE) postgresql-ha-postgresql \ -o jsonpath='{.data.pgpool-password}' 2>/dev/null); \ if [ -z "$$SECRET" ]; then \ echo "ERROR: pgpool-password key missing from secret — pgpool will CrashLoop on restart"; \ exit 1; \ else \ echo "OK: pgpool-password key present"; \ fi ##@ Valkey (cache) valkey-deploy: ## Deploy / upgrade Valkey (Redis-compatible) to platform namespace $(KUBECTL) create namespace $(NAMESPACE) --dry-run=client -o yaml | $(KUBECTL) apply -f - $(HELM) upgrade --install valkey bitnami/valkey \ --namespace $(NAMESPACE) \ -f <(sops -d helm/valkey-values.sops.yaml) \ --wait --timeout 3m valkey-status: ## Check Valkey pod status $(KUBECTL) get pods -n $(NAMESPACE) -l app.kubernetes.io/name=valkey ##@ OpenBao (secrets) openbao-repo: ## Add / update the official OpenBao Helm repository $(HELM) repo add openbao https://openbao.github.io/openbao-helm --force-update $(HELM) repo update openbao openbao-dry-run: openbao-repo ## Render the OpenBao Helm release without applying it $(HELM) upgrade --install $(OPENBAO_RELEASE) openbao/openbao \ --version $(OPENBAO_CHART_VERSION) \ --namespace $(OPENBAO_NAMESPACE) \ --create-namespace \ -f $(OPENBAO_VALUES) \ --dry-run openbao-deploy: openbao-repo ## Deploy / upgrade OpenBao to the openbao namespace $(KUBECTL) create namespace $(OPENBAO_NAMESPACE) --dry-run=client -o yaml | $(KUBECTL) apply -f - $(HELM) upgrade --install $(OPENBAO_RELEASE) openbao/openbao \ --version $(OPENBAO_CHART_VERSION) \ --namespace $(OPENBAO_NAMESPACE) \ -f $(OPENBAO_VALUES) \ --wait --timeout 5m openbao-status: ## Show OpenBao pods, services, PVCs, and seal/init status $(KUBECTL) get pods,svc,pvc -n $(OPENBAO_NAMESPACE) \ -l app.kubernetes.io/instance=$(OPENBAO_RELEASE) -o wide -$(KUBECTL) exec -n $(OPENBAO_NAMESPACE) $(OPENBAO_RELEASE)-0 -- bao status ##@ Backup backup: ## Backup platform services (PostgreSQL logical dump) — age-encrypted to Nextcloud sudo tools/cmd/railiance-backup ##@ Help help: ## Show this help @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} \ /^[a-zA-Z_-]+:.*?##/ { printf " \033[36m%-22s\033[0m %s\n", $$1, $$2 } \ /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST) .PHONY: db-deploy db-status db-shell db-logs pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status openbao-repo openbao-dry-run openbao-deploy openbao-status backup help