coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1a5b65a338fcf8bc9c75da8ece1eb2b7cbb37335
railiance-platform/Makefile
tegwick 1a5b65a338 RAILIANCE-WP-0003 T02-T06: provision shared apps-pg cnpg cluster 
Adds the shared CloudNativePG cluster apps-pg for S5 application
databases:
- helm/apps-pg-cluster.yaml — Cluster CR, PG 16, 1 instance, 10Gi
- helm/apps-pg-networkpolicies.yaml — egress-to-kube-api +
  ingress-from-cnpg-operator + label-based ingress opt-in
  (railiance.io/postgres-client=apps-pg)
- helm/apps-pg-secret.sops.yaml.template — bootstrap credential
  template (encrypt with SOPS before committing the real .sops.yaml)
- Makefile targets: apps-pg-deploy, apps-pg-status (with cnpg-plugin
  fallback), apps-pg-shell (apps_admin/apps_meta), apps-pg-logs
- docs/apps-pg.md (codex) — consumer onboarding contract clarifying
  the CNPG 1.28 role/database lifecycle boundary

Also fixes helm/gitea-db-cluster.yaml: spec.postgresql.version is not
a valid CNPG v1 field (strict decoding rejects it). Replaced with
spec.imageName matching the live cluster (postgresql:18.1-system-trixie)
so make db-deploy is a no-op instead of an apply rejection.

Live state at commit time: Cluster apps-pg in healthy state, primary
apps-pg-1 Running, smoke-tested via psql from a labeled temp ns.

Co-Authored-By: codex <noreply@openai.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-19 04:50:40 +02:00

125 lines
5.0 KiB
Makefile
Raw Blame History

SHELL := /usr/bin/env bash
.DEFAULT_GOAL := help
KUBECONFIG ?= $(firstword $(wildcard $(HOME)/.kube/config-hosteurope) $(HOME)/.kube/config)
KUBECTL_BIN ?= $(firstword $(shell command -v kubectl 2>/dev/null) $(wildcard $(HOME)/.local/bin/kubectl) kubectl)
KUBECTL := $(KUBECTL_BIN) --kubeconfig=$(KUBECONFIG)
HELM := helm --kubeconfig=$(KUBECONFIG)
NAMESPACE := platform
PG_CHART_VERSION ?= 16.2.2
VALKEY_CHART_VERSION ?= 2.x
OPENBAO_CHART_VERSION ?= 0.28.2
OPENBAO_NAMESPACE ?= openbao
OPENBAO_RELEASE ?= openbao
OPENBAO_VALUES ?= helm/openbao-values.yaml
##@ CloudNative PG (cnpg) — primary database operator
db-deploy: ## Apply Gitea cnpg Cluster (creates gitea-db in databases namespace)
$(KUBECTL) apply -f helm/gitea-db-cluster.yaml
db-status: ## Show cnpg cluster health
$(KUBECTL) cnpg status gitea-db -n databases 2>/dev/null || \
$(KUBECTL) get cluster gitea-db -n databases -o wide
db-shell: ## Open psql shell on gitea-db primary
$(KUBECTL) cnpg psql gitea-db -n databases -- -U gitea gitea
db-logs: ## Tail gitea-db primary logs
$(KUBECTL) logs -n databases -l cnpg.io/cluster=gitea-db -f --tail=50
##@ Shared apps-pg (S5 application databases)
apps-pg-deploy: ## Apply shared apps-pg cnpg Cluster + NetworkPolicies
$(KUBECTL) apply -f helm/apps-pg-cluster.yaml
$(KUBECTL) apply -f helm/apps-pg-networkpolicies.yaml
apps-pg-status: ## Show apps-pg cnpg cluster health
$(KUBECTL) cnpg status apps-pg -n databases 2>/dev/null || \
$(KUBECTL) get cluster apps-pg -n databases -o wide
apps-pg-shell: ## Open psql shell on apps-pg primary as apps_admin / apps_meta
$(KUBECTL) cnpg psql apps-pg -n databases -- -U apps_admin apps_meta 2>/dev/null || \
$(KUBECTL) exec -it -n databases apps-pg-1 -- psql -U apps_admin apps_meta
apps-pg-logs: ## Tail apps-pg primary logs
$(KUBECTL) logs -n databases -l cnpg.io/cluster=apps-pg -f --tail=50
##@ PostgreSQL HA (legacy — superseded by cnpg above)
pg-deploy: ## Deploy / upgrade standalone PostgreSQL HA to platform namespace
$(KUBECTL) create namespace $(NAMESPACE) --dry-run=client -o yaml | $(KUBECTL) apply -f -
$(HELM) repo add bitnami https://charts.bitnami.com/bitnami --force-update
$(HELM) upgrade --install postgresql-ha bitnami/postgresql-ha \
--version $(PG_CHART_VERSION) \
--namespace $(NAMESPACE) \
-f <(sops -d helm/postgresql-ha-values.sops.yaml) \
--wait --timeout 5m
pg-status: ## Check PostgreSQL HA pod status
$(KUBECTL) get pods -n $(NAMESPACE) -l app.kubernetes.io/name=postgresql-ha
pg-pgpool-check: ## Verify pgpool-password secret key is present (see RAIL-BS-WP-0003)
@SECRET=$$($(KUBECTL) get secret -n $(NAMESPACE) postgresql-ha-postgresql \
-o jsonpath='{.data.pgpool-password}' 2>/dev/null); \
if [ -z "$$SECRET" ]; then \
echo "ERROR: pgpool-password key missing from secret — pgpool will CrashLoop on restart"; \
exit 1; \
else \
echo "OK: pgpool-password key present"; \
fi
##@ Valkey (cache)
valkey-deploy: ## Deploy / upgrade Valkey (Redis-compatible) to platform namespace
$(KUBECTL) create namespace $(NAMESPACE) --dry-run=client -o yaml | $(KUBECTL) apply -f -
$(HELM) upgrade --install valkey bitnami/valkey \
--namespace $(NAMESPACE) \
-f <(sops -d helm/valkey-values.sops.yaml) \
--wait --timeout 3m
valkey-status: ## Check Valkey pod status
$(KUBECTL) get pods -n $(NAMESPACE) -l app.kubernetes.io/name=valkey
##@ OpenBao (secrets)
openbao-repo: ## Add / update the official OpenBao Helm repository
$(HELM) repo add openbao https://openbao.github.io/openbao-helm --force-update
$(HELM) repo update openbao
openbao-dry-run: openbao-repo ## Render the OpenBao Helm release without applying it
$(HELM) upgrade --install $(OPENBAO_RELEASE) openbao/openbao \
--version $(OPENBAO_CHART_VERSION) \
--namespace $(OPENBAO_NAMESPACE) \
--create-namespace \
-f $(OPENBAO_VALUES) \
--dry-run
openbao-deploy: openbao-repo ## Deploy / upgrade OpenBao to the openbao namespace
$(KUBECTL) create namespace $(OPENBAO_NAMESPACE) --dry-run=client -o yaml | $(KUBECTL) apply -f -
$(HELM) upgrade --install $(OPENBAO_RELEASE) openbao/openbao \
--version $(OPENBAO_CHART_VERSION) \
--namespace $(OPENBAO_NAMESPACE) \
-f $(OPENBAO_VALUES) \
--wait --timeout 5m
openbao-status: ## Show OpenBao pods, services, PVCs, and seal/init status
$(KUBECTL) get pods,svc,pvc -n $(OPENBAO_NAMESPACE) \
-l app.kubernetes.io/instance=$(OPENBAO_RELEASE) -o wide
-$(KUBECTL) exec -n $(OPENBAO_NAMESPACE) $(OPENBAO_RELEASE)-0 -- bao status
##@ Backup
backup: ## Backup platform services (PostgreSQL logical dump) — age-encrypted to Nextcloud
sudo tools/cmd/railiance-backup
##@ Help
help: ## Show this help
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} \
/^[a-zA-Z_-]+:.*?##/ { printf " \033[36m%-22s\033[0m %s\n", $$1, $$2 } \
/^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)
.PHONY: db-deploy db-status db-shell db-logs apps-pg-deploy apps-pg-status apps-pg-shell apps-pg-logs pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status openbao-repo openbao-dry-run openbao-deploy openbao-status backup help
Reference in New Issue View Git Blame Copy Permalink