railiance-platform/helm/postgresql-ha-values.yaml.template

65 lines
2.2 KiB
Text
Raw Permalink Normal View History

# postgresql-ha-values.yaml.template
#
# Standalone PostgreSQL HA for railiance-platform (S3)
# Chart: bitnami/postgresql-ha version: ~16.x (pin to 16.2.2 or latest stable)
#
# Usage:
# 1. Copy this file:
# cp helm/postgresql-ha-values.yaml.template helm/postgresql-ha-values.sops.yaml
# 2. Fill in all CHANGEME_ values (passwords, storage class, replica count)
# 3. Encrypt with SOPS (age key must be loaded):
# sops -e -i helm/postgresql-ha-values.sops.yaml
# 4. Deploy:
# make pg-deploy
#
# Never commit the plaintext .template file with real passwords.
# The .sops.yaml file (encrypted) is what gets committed.
#
# NOTE: pgpoolPassword MUST match postgresql.pgpoolPassword.
# This was the root cause of the 2026-03-10 incident (RAIL-BS-WP-0003).
# Do not omit it.
global:
postgresql:
username: postgres
password: CHANGEME_postgres_password
database: postgres
repmgrUsername: repmgr
repmgrPassword: CHANGEME_repmgr_password
postgresql:
replicaCount: 3 # all 3 pods on 1 node for now; set anti-affinity when 3 nodes exist
password: CHANGEME_postgres_password # must match global.postgresql.password
postgresPassword: CHANGEME_postgres_superuser_password
repmgrPassword: CHANGEME_repmgr_password # must match global.postgresql.repmgrPassword
# pgpoolPassword is the sr_check_password used by pgpool to probe replicas.
# It MUST be set here to survive helm upgrade (see incident RAIL-BS-WP-0003).
pgpoolPassword: CHANGEME_pgpool_sr_check_password
persistence:
enabled: true
storageClass: "" # use default StorageClass (local-path on single node; longhorn on 3 nodes)
size: 10Gi
podAntiAffinityPreset: "soft" # soft = prefer spread; switch to "hard" when 3 nodes exist
pgpool:
replicaCount: 1
adminPassword: CHANGEME_pgpool_admin_password
# numInitChildren controls max connections; default 32 is fine for single node
numInitChildren: 32
maxPool: 4
# Connection load balancing
loadBalancingOnWrite: "transaction"
readinessProbe:
enabled: true
livenessProbe:
enabled: true
# Metrics (optional — enable when Prometheus is deployed)
metrics:
enabled: false
serviceMonitor:
enabled: false