postgres: add flux + vault csi

clusters/atlas/flux-system/applications/kustomization.yaml

@@ -25,5 +25,6 @@ resources:
   - ai-llm/kustomization.yaml
   - nextcloud/kustomization.yaml
   - nextcloud-mail-sync/kustomization.yaml
+  - postgres/kustomization.yaml
   - outline/kustomization.yaml
   - planka/kustomization.yaml

clusters/atlas/flux-system/applications/postgres/kustomization.yaml

@@ -0,0 +1,24 @@
+# clusters/atlas/flux-system/applications/postgres/kustomization.yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: postgres
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ./services/postgres
+  prune: true
+  force: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  targetNamespace: postgres
+  dependsOn:
+    - name: vault
+    - name: vault-csi
+  healthChecks:
+    - apiVersion: apps/v1
+      kind: StatefulSet
+      name: postgres
+      namespace: postgres
+  wait: true

services/postgres/kustomization.yaml

@@ -4,5 +4,7 @@ kind: Kustomization
 namespace: postgres
 resources:
   - namespace.yaml
+  - serviceaccount.yaml
+  - secretproviderclass.yaml
   - service.yaml
   - statefulset.yaml

services/postgres/secretproviderclass.yaml

@@ -0,0 +1,15 @@
+# services/postgres/secretproviderclass.yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: postgres-vault
+  namespace: postgres
+spec:
+  provider: vault
+  parameters:
+    vaultAddress: "http://vault.vault.svc.cluster.local:8200"
+    roleName: "postgres"
+    objects: |
+      - objectName: "postgres_password"
+        secretPath: "kv/data/postgres"
+        secretKey: "POSTGRES_PASSWORD"

services/postgres/serviceaccount.yaml

@@ -0,0 +1,6 @@
+# services/postgres/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgres-vault
+  namespace: postgres

services/postgres/statefulset.yaml

@@ -22,6 +22,7 @@ spec:
       labels:
         app: postgres
     spec:
+      serviceAccountName: postgres-vault
       nodeSelector:
         node-role.kubernetes.io/worker: "true"
       affinity:
@@ -47,16 +48,23 @@ spec:
               value: /var/lib/postgresql/data/pgdata
             - name: POSTGRES_USER
               value: postgres
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: postgres-auth
-                  key: POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD_FILE
+              value: /mnt/vault/postgres_password
             - name: POSTGRES_DB
               value: postgres
           volumeMounts:
             - name: postgres-data
               mountPath: /var/lib/postgresql/data
+            - name: vault-secrets
+              mountPath: /mnt/vault
+              readOnly: true
+      volumes:
+        - name: vault-secrets
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: postgres-vault
   volumeClaimTemplates:
     - metadata:
         name: postgres-data