railiance-platform/helm/gitea-db-cluster.yaml

---
# cnpg Cluster for Gitea database
# Managed by railiance-platform (S3). Operator lives in cnpg-system namespace.
#
# Apply: kubectl apply -f helm/gitea-db-cluster.yaml
# Status: kubectl cnpg status gitea-db -n databases
#
# Pre-condition: gitea-db-credentials Secret must exist in databases namespace.
# Create it (one-time, do NOT commit plaintext):
#   kubectl create secret generic gitea-db-credentials \
#     --namespace databases \
#     --from-literal=username=gitea \
#     --from-literal=password=<password>
# Then encrypt with SOPS and commit helm/gitea-db-secret.sops.yaml.
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: gitea-db
  namespace: databases
  labels:
    app.kubernetes.io/name: gitea-db
    app.kubernetes.io/component: database
    app.kubernetes.io/managed-by: manual
    railiance.io/layer: s3-platform
spec:
  instances: 1   # bump to 3 when node RAM > 8GB
  # spec.postgresql.version is not a real CNPG v1 field; use imageName.
  # Live cluster was upgraded to PG 18.1; match the live state so
  # `make db-deploy` (kubectl apply) is a no-op rather than a rejection.
  imageName: ghcr.io/cloudnative-pg/postgresql:18.1-system-trixie
  storage:
    size: 10Gi
  bootstrap:
    initdb:
      database: gitea
      owner: gitea
      secret:
        name: gitea-db-credentials
  # Connection pooler can be added later:
  # managed:
  #   services:
  #     additional:
  #       - selectorType: rw
  #         serviceTemplate:
  #           metadata:
  #             name: gitea-db-pooler-rw