railiance-platform/helm/apps-pg-cluster.yaml

---
# Shared CNPG Cluster for S5 application databases (RAILIANCE-WP-0003).
# Owned by railiance-platform (S3). Operator lives in cnpg-system.
#
# Apply: kubectl apply -f helm/apps-pg-cluster.yaml
# Status: kubectl cnpg status apps-pg -n databases   (requires cnpg kubectl plugin)
#         or: kubectl get cluster apps-pg -n databases -o wide
#
# Pre-condition: apps-pg-credentials Secret must exist in databases ns.
#   See helm/apps-pg-secret.sops.yaml.template for the bootstrap recipe.
#
# Consumer onboarding: see docs/apps-pg.md. The bootstrap role apps_admin
# and meta DB apps_meta exist only to anchor the cluster; per-app roles
# and databases are added through the documented onboarding contract.
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: apps-pg
  namespace: databases
  labels:
    app.kubernetes.io/name: apps-pg
    app.kubernetes.io/component: database
    app.kubernetes.io/managed-by: manual
    railiance.io/layer: s3-platform
    railiance.io/role: shared-apps-database
spec:
  instances: 1   # bump to 3 when node RAM > 8GB
  imageName: ghcr.io/cloudnative-pg/postgresql:16
  storage:
    size: 10Gi
  bootstrap:
    initdb:
      database: apps_meta
      owner: apps_admin
      secret:
        name: apps-pg-credentials
  # Per-app PostgreSQL roles are added here (CNPG 1.28 role lifecycle is
  # cluster-scoped — no standalone Role CR). The credential Secret for
  # each role lives in the databases namespace and is mirrored into the
  # consumer namespace by the consuming repo. See docs/apps-pg.md.
  managed:
    roles:
      - name: vergabe                    # RAILIANCE-WP-0002 T04 (vergabe-teilnahme)
        ensure: present
        login: true
        passwordSecret:
          name: vergabe-app-credentials
  # HA replica + connection pooler are deferred (RAILIANCE-WP-0003 Notes):
  #   services:
  #     additional:
  #       - selectorType: rw
  #         serviceTemplate:
  #           metadata:
  #             name: apps-pg-pooler-rw