diff --git a/Makefile b/Makefile index 276a8a6..db244fd 100644 --- a/Makefile +++ b/Makefile @@ -53,6 +53,19 @@ db-shell: ## Open psql shell on gitea-db primary db-logs: ## Tail gitea-db primary logs $(KUBECTL) logs -n databases -l cnpg.io/cluster=gitea-db -f --tail=50 +##@ Forgejo database (railiance01 production forge) + +forgejo-db-deploy: ## Apply forgejo-db cnpg Cluster + NetworkPolicies on railiance01 + $(KUBECTL) apply -f helm/forgejo-db-cluster.yaml + $(KUBECTL) apply -f helm/forgejo-db-networkpolicies.yaml + +forgejo-db-status: ## Show forgejo-db cnpg cluster health + $(KUBECTL) cnpg status forgejo-db -n databases 2>/dev/null || \ + $(KUBECTL) get cluster forgejo-db -n databases -o wide + +forgejo-db-shell: ## Open psql shell on forgejo-db primary + $(KUBECTL) cnpg psql forgejo-db -n databases -- -U forgejo forgejo + ##@ Shared apps-pg (S5 application databases) apps-pg-deploy: ## Apply shared apps-pg cnpg Cluster + NetworkPolicies @@ -342,4 +355,4 @@ help: ## Show this help /^[a-zA-Z_-]+:.*?##/ { printf " \033[36m%-22s\033[0m %s\n", $$1, $$2 } \ /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST) -.PHONY: db-deploy db-status db-shell db-logs apps-pg-deploy apps-pg-status apps-pg-shell apps-pg-logs net-kingdom-pg-inter-hub-networkpolicy-deploy pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status openbao-repo openbao-dry-run openbao-overlay-apply openbao-verify-login-overlay openbao-deploy openbao-status openbao-verify openbao-verify-post-unseal openbao-configure-initial openbao-configure-ssh openbao-verify-ssh openbao-verify-authenticated openbao-configure-external-secrets-issue-core openbao-configure-external-secrets-activity-core openbao-validate-restore-evidence openbao-validate-emergency-evidence credential-grants-validate credential-change-applier-dry-run credential-change-applier-apply-plan credential-change-applier-apply credential-change-runbook credential-change-record-evidence credential-change-lifecycle-plan credential-change-lifecycle-event credential-change-import-inventory openbao-credential-change-appliers-dry-run openbao-configure-credential-change-appliers openbao-token-grants-dry-run openbao-configure-token-grants openbao-verify-token-grants-dry-run openbao-verify-token-grants openbao-verify-token-grants-smoke credential-helper-dry-run credential-tests credential-exec-ops-warden-smoke argocd-bootstrap-dry-run argocd-bootstrap-deploy argocd-repo-apply argocd-status backup help +.PHONY: db-deploy db-status db-shell db-logs forgejo-db-deploy forgejo-db-status forgejo-db-shell apps-pg-deploy apps-pg-status apps-pg-shell apps-pg-logs net-kingdom-pg-inter-hub-networkpolicy-deploy pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status openbao-repo openbao-dry-run openbao-overlay-apply openbao-verify-login-overlay openbao-deploy openbao-status openbao-verify openbao-verify-post-unseal openbao-configure-initial openbao-configure-ssh openbao-verify-ssh openbao-verify-authenticated openbao-configure-external-secrets-issue-core openbao-configure-external-secrets-activity-core openbao-validate-restore-evidence openbao-validate-emergency-evidence credential-grants-validate credential-change-applier-dry-run credential-change-applier-apply-plan credential-change-applier-apply credential-change-runbook credential-change-record-evidence credential-change-lifecycle-plan credential-change-lifecycle-event credential-change-import-inventory openbao-credential-change-appliers-dry-run openbao-configure-credential-change-appliers openbao-token-grants-dry-run openbao-configure-token-grants openbao-verify-token-grants-dry-run openbao-verify-token-grants openbao-verify-token-grants-smoke credential-helper-dry-run credential-tests credential-exec-ops-warden-smoke argocd-bootstrap-dry-run argocd-bootstrap-deploy argocd-repo-apply argocd-status backup help diff --git a/helm/forgejo-db-cluster.yaml b/helm/forgejo-db-cluster.yaml new file mode 100644 index 0000000..7900d32 --- /dev/null +++ b/helm/forgejo-db-cluster.yaml @@ -0,0 +1,31 @@ +--- +# CNPG cluster for Forgejo (railiance01 production forge). +# Managed by railiance-platform (S3). Operator: cnpg-system. +# +# Apply: KUBECONFIG=~/.kube/config-hosteurope make forgejo-db-deploy +# Status: make forgejo-db-status +# +# Pre-condition: forgejo-db-credentials Secret in databases namespace. +# See helm/forgejo-db-secret.sops.yaml.template +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: forgejo-db + namespace: databases + labels: + app.kubernetes.io/name: forgejo-db + app.kubernetes.io/component: database + app.kubernetes.io/managed-by: manual + railiance.io/layer: s3-platform + railiance.io/consumer: forgejo +spec: + instances: 1 + imageName: ghcr.io/cloudnative-pg/postgresql:16 + storage: + size: 10Gi + bootstrap: + initdb: + database: forgejo + owner: forgejo + secret: + name: forgejo-db-credentials \ No newline at end of file diff --git a/helm/forgejo-db-networkpolicies.yaml b/helm/forgejo-db-networkpolicies.yaml new file mode 100644 index 0000000..5f33990 --- /dev/null +++ b/helm/forgejo-db-networkpolicies.yaml @@ -0,0 +1,61 @@ +--- +# NetworkPolicies for forgejo-db CNPG cluster on railiance01. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-kube-api-forgejo-db + namespace: databases +spec: + podSelector: + matchLabels: + cnpg.io/cluster: forgejo-db + policyTypes: + - Egress + egress: + - ports: + - port: 6443 + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ingress-from-cnpg-operator-forgejo-db + namespace: databases +spec: + podSelector: + matchLabels: + cnpg.io/cluster: forgejo-db + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: cnpg-system + ports: + - port: 5432 + protocol: TCP + - port: 8000 + protocol: TCP + - port: 9187 + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ingress-from-forgejo-forgejo-db + namespace: databases +spec: + podSelector: + matchLabels: + cnpg.io/cluster: forgejo-db + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: forgejo + ports: + - port: 5432 + protocol: TCP \ No newline at end of file diff --git a/helm/forgejo-db-secret.sops.yaml.template b/helm/forgejo-db-secret.sops.yaml.template new file mode 100644 index 0000000..5aaeef2 --- /dev/null +++ b/helm/forgejo-db-secret.sops.yaml.template @@ -0,0 +1,13 @@ +# Template for forgejo-db-credentials (databases namespace). +# Encrypt: sops -e -i helm/forgejo-db-secret.sops.yaml +# Apply: KUBECONFIG=~/.kube/config-hosteurope kubectl apply -f <(sops -d helm/forgejo-db-secret.sops.yaml) +--- +apiVersion: v1 +kind: Secret +metadata: + name: forgejo-db-credentials + namespace: databases +type: kubernetes.io/basic-auth +stringData: + username: forgejo + password: REPLACE_WITH_PASSWORD \ No newline at end of file