feat(statehub): add railiance deployment manifests

This commit is contained in:
2026-06-25 15:15:30 +02:00
parent 6ee5542a88
commit 434c80c2c3
16 changed files with 535 additions and 2 deletions

View File

@@ -0,0 +1,28 @@
---
# Dedicated CNPG Cluster for State Hub episodic memory.
# Owned by railiance-platform (S3). Operator lives in cnpg-system.
#
# Pre-condition: state-hub-db-credentials Secret exists in databases namespace.
# Runtime app Secret is separate and lives in the state-hub namespace.
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: state-hub-db
namespace: databases
labels:
app.kubernetes.io/name: state-hub-db
app.kubernetes.io/component: database
app.kubernetes.io/managed-by: manual
railiance.io/layer: s3-platform
railiance.io/role: state-hub-database
spec:
instances: 1
imageName: ghcr.io/cloudnative-pg/postgresql:16
storage:
size: 10Gi
bootstrap:
initdb:
database: state_hub
owner: state_hub
secret:
name: state-hub-db-credentials

View File

@@ -0,0 +1,19 @@
# Template for the state-hub-db bootstrap Secret.
# DO NOT commit this file with real credentials.
# Encrypt with: sops -e -i state-hub-db-credentials.sops.yaml
# Apply with: kubectl apply -f <(sops -d state-hub-db-credentials.sops.yaml)
---
apiVersion: v1
kind: Secret
metadata:
name: state-hub-db-credentials
namespace: databases
labels:
app.kubernetes.io/name: state-hub-db
app.kubernetes.io/component: database-bootstrap
app.kubernetes.io/managed-by: manual
railiance.io/layer: s3-platform
type: kubernetes.io/basic-auth
stringData:
username: state_hub
password: REPLACE_WITH_PASSWORD

View File

@@ -0,0 +1,74 @@
---
# NetworkPolicies for the dedicated State Hub CNPG cluster.
# Namespaces that need database access must carry:
# railiance.io/postgres-client: state-hub-db
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-kube-api-state-hub-db
namespace: databases
labels:
app.kubernetes.io/name: state-hub-db
railiance.io/layer: s3-platform
spec:
podSelector:
matchLabels:
cnpg.io/cluster: state-hub-db
policyTypes:
- Egress
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: TCP
port: 6443
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-cnpg-operator-state-hub-db
namespace: databases
labels:
app.kubernetes.io/name: state-hub-db
railiance.io/layer: s3-platform
spec:
podSelector:
matchLabels:
cnpg.io/cluster: state-hub-db
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: cnpg-system
ports:
- protocol: TCP
port: 5432
- protocol: TCP
port: 8000
- protocol: TCP
port: 9187
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-state-hub-namespace-state-hub-db
namespace: databases
labels:
app.kubernetes.io/name: state-hub-db
railiance.io/layer: s3-platform
spec:
podSelector:
matchLabels:
cnpg.io/cluster: state-hub-db
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
railiance.io/postgres-client: state-hub-db
ports:
- protocol: TCP
port: 5432