generated from coulomb/repo-seed
feat(statehub): add railiance deployment manifests
This commit is contained in:
28
deploy/railiance/platform/state-hub-db-cluster.yaml
Normal file
28
deploy/railiance/platform/state-hub-db-cluster.yaml
Normal file
@@ -0,0 +1,28 @@
|
||||
---
|
||||
# Dedicated CNPG Cluster for State Hub episodic memory.
|
||||
# Owned by railiance-platform (S3). Operator lives in cnpg-system.
|
||||
#
|
||||
# Pre-condition: state-hub-db-credentials Secret exists in databases namespace.
|
||||
# Runtime app Secret is separate and lives in the state-hub namespace.
|
||||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: Cluster
|
||||
metadata:
|
||||
name: state-hub-db
|
||||
namespace: databases
|
||||
labels:
|
||||
app.kubernetes.io/name: state-hub-db
|
||||
app.kubernetes.io/component: database
|
||||
app.kubernetes.io/managed-by: manual
|
||||
railiance.io/layer: s3-platform
|
||||
railiance.io/role: state-hub-database
|
||||
spec:
|
||||
instances: 1
|
||||
imageName: ghcr.io/cloudnative-pg/postgresql:16
|
||||
storage:
|
||||
size: 10Gi
|
||||
bootstrap:
|
||||
initdb:
|
||||
database: state_hub
|
||||
owner: state_hub
|
||||
secret:
|
||||
name: state-hub-db-credentials
|
||||
@@ -0,0 +1,19 @@
|
||||
# Template for the state-hub-db bootstrap Secret.
|
||||
# DO NOT commit this file with real credentials.
|
||||
# Encrypt with: sops -e -i state-hub-db-credentials.sops.yaml
|
||||
# Apply with: kubectl apply -f <(sops -d state-hub-db-credentials.sops.yaml)
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: state-hub-db-credentials
|
||||
namespace: databases
|
||||
labels:
|
||||
app.kubernetes.io/name: state-hub-db
|
||||
app.kubernetes.io/component: database-bootstrap
|
||||
app.kubernetes.io/managed-by: manual
|
||||
railiance.io/layer: s3-platform
|
||||
type: kubernetes.io/basic-auth
|
||||
stringData:
|
||||
username: state_hub
|
||||
password: REPLACE_WITH_PASSWORD
|
||||
74
deploy/railiance/platform/state-hub-db-networkpolicies.yaml
Normal file
74
deploy/railiance/platform/state-hub-db-networkpolicies.yaml
Normal file
@@ -0,0 +1,74 @@
|
||||
---
|
||||
# NetworkPolicies for the dedicated State Hub CNPG cluster.
|
||||
# Namespaces that need database access must carry:
|
||||
# railiance.io/postgres-client: state-hub-db
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-egress-kube-api-state-hub-db
|
||||
namespace: databases
|
||||
labels:
|
||||
app.kubernetes.io/name: state-hub-db
|
||||
railiance.io/layer: s3-platform
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
cnpg.io/cluster: state-hub-db
|
||||
policyTypes:
|
||||
- Egress
|
||||
egress:
|
||||
- to:
|
||||
- namespaceSelector: {}
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 6443
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress-from-cnpg-operator-state-hub-db
|
||||
namespace: databases
|
||||
labels:
|
||||
app.kubernetes.io/name: state-hub-db
|
||||
railiance.io/layer: s3-platform
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
cnpg.io/cluster: state-hub-db
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: cnpg-system
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 5432
|
||||
- protocol: TCP
|
||||
port: 8000
|
||||
- protocol: TCP
|
||||
port: 9187
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress-from-state-hub-namespace-state-hub-db
|
||||
namespace: databases
|
||||
labels:
|
||||
app.kubernetes.io/name: state-hub-db
|
||||
railiance.io/layer: s3-platform
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
cnpg.io/cluster: state-hub-db
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
railiance.io/postgres-client: state-hub-db
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 5432
|
||||
Reference in New Issue
Block a user