coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1a5b65a338fcf8bc9c75da8ece1eb2b7cbb37335
railiance-platform/helm/apps-pg-secret.sops.yaml.template
tegwick 1a5b65a338 RAILIANCE-WP-0003 T02-T06: provision shared apps-pg cnpg cluster 
Adds the shared CloudNativePG cluster apps-pg for S5 application
databases:
- helm/apps-pg-cluster.yaml — Cluster CR, PG 16, 1 instance, 10Gi
- helm/apps-pg-networkpolicies.yaml — egress-to-kube-api +
  ingress-from-cnpg-operator + label-based ingress opt-in
  (railiance.io/postgres-client=apps-pg)
- helm/apps-pg-secret.sops.yaml.template — bootstrap credential
  template (encrypt with SOPS before committing the real .sops.yaml)
- Makefile targets: apps-pg-deploy, apps-pg-status (with cnpg-plugin
  fallback), apps-pg-shell (apps_admin/apps_meta), apps-pg-logs
- docs/apps-pg.md (codex) — consumer onboarding contract clarifying
  the CNPG 1.28 role/database lifecycle boundary

Also fixes helm/gitea-db-cluster.yaml: spec.postgresql.version is not
a valid CNPG v1 field (strict decoding rejects it). Replaced with
spec.imageName matching the live cluster (postgresql:18.1-system-trixie)
so make db-deploy is a no-op instead of an apply rejection.

Live state at commit time: Cluster apps-pg in healthy state, primary
apps-pg-1 Running, smoke-tested via psql from a labeled temp ns.

Co-Authored-By: codex <noreply@openai.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-19 04:50:40 +02:00

26 lines
962 B
Plaintext
Raw Blame History

# Template for the apps-pg-credentials Secret.
# DO NOT commit this file with real credentials.
# Encrypt with: sops -e -i helm/apps-pg-secret.sops.yaml
# Apply with: kubectl apply -f <(sops -d helm/apps-pg-secret.sops.yaml)
#
# This Secret is consumed by the bootstrap.initdb stanza of
# helm/apps-pg-cluster.yaml and only exists to create the platform
# bootstrap role `apps_admin` and meta DB `apps_meta`. It is NOT a
# runtime credential for any S5 application — those are issued per
# consumer through the onboarding contract in docs/apps-pg.md.
---
apiVersion: v1
kind: Secret
metadata:
name: apps-pg-credentials
namespace: databases
labels:
app.kubernetes.io/name: apps-pg
app.kubernetes.io/component: database-bootstrap
app.kubernetes.io/managed-by: manual
railiance.io/layer: s3-platform
type: kubernetes.io/basic-auth
stringData:
username: apps_admin
password: REPLACE_WITH_PASSWORD # encrypt with SOPS before committing
Reference in New Issue View Git Blame Copy Permalink