diff --git a/clusters/atlas/flux-system/applications/kustomization.yaml b/clusters/atlas/flux-system/applications/kustomization.yaml index d48cf9e..6788653 100644 --- a/clusters/atlas/flux-system/applications/kustomization.yaml +++ b/clusters/atlas/flux-system/applications/kustomization.yaml @@ -25,5 +25,6 @@ resources: - ai-llm/kustomization.yaml - nextcloud/kustomization.yaml - nextcloud-mail-sync/kustomization.yaml + - postgres/kustomization.yaml - outline/kustomization.yaml - planka/kustomization.yaml diff --git a/clusters/atlas/flux-system/applications/postgres/kustomization.yaml b/clusters/atlas/flux-system/applications/postgres/kustomization.yaml new file mode 100644 index 0000000..07df4c7 --- /dev/null +++ b/clusters/atlas/flux-system/applications/postgres/kustomization.yaml @@ -0,0 +1,24 @@ +# clusters/atlas/flux-system/applications/postgres/kustomization.yaml +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: postgres + namespace: flux-system +spec: + interval: 10m + path: ./services/postgres + prune: true + force: true + sourceRef: + kind: GitRepository + name: flux-system + targetNamespace: postgres + dependsOn: + - name: vault + - name: vault-csi + healthChecks: + - apiVersion: apps/v1 + kind: StatefulSet + name: postgres + namespace: postgres + wait: true diff --git a/services/postgres/kustomization.yaml b/services/postgres/kustomization.yaml index 1d7c8c0..e9d2c98 100644 --- a/services/postgres/kustomization.yaml +++ b/services/postgres/kustomization.yaml @@ -4,5 +4,7 @@ kind: Kustomization namespace: postgres resources: - namespace.yaml + - serviceaccount.yaml + - secretproviderclass.yaml - service.yaml - statefulset.yaml diff --git a/services/postgres/secretproviderclass.yaml b/services/postgres/secretproviderclass.yaml new file mode 100644 index 0000000..31d247e --- /dev/null +++ b/services/postgres/secretproviderclass.yaml @@ -0,0 +1,15 @@ +# services/postgres/secretproviderclass.yaml +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: postgres-vault + namespace: postgres +spec: + provider: vault + parameters: + vaultAddress: "http://vault.vault.svc.cluster.local:8200" + roleName: "postgres" + objects: | + - objectName: "postgres_password" + secretPath: "kv/data/postgres" + secretKey: "POSTGRES_PASSWORD" diff --git a/services/postgres/serviceaccount.yaml b/services/postgres/serviceaccount.yaml new file mode 100644 index 0000000..0c3db0c --- /dev/null +++ b/services/postgres/serviceaccount.yaml @@ -0,0 +1,6 @@ +# services/postgres/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: postgres-vault + namespace: postgres diff --git a/services/postgres/statefulset.yaml b/services/postgres/statefulset.yaml index 014567b..aa96003 100644 --- a/services/postgres/statefulset.yaml +++ b/services/postgres/statefulset.yaml @@ -22,6 +22,7 @@ spec: labels: app: postgres spec: + serviceAccountName: postgres-vault nodeSelector: node-role.kubernetes.io/worker: "true" affinity: @@ -47,16 +48,23 @@ spec: value: /var/lib/postgresql/data/pgdata - name: POSTGRES_USER value: postgres - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: postgres-auth - key: POSTGRES_PASSWORD + - name: POSTGRES_PASSWORD_FILE + value: /mnt/vault/postgres_password - name: POSTGRES_DB value: postgres volumeMounts: - name: postgres-data mountPath: /var/lib/postgresql/data + - name: vault-secrets + mountPath: /mnt/vault + readOnly: true + volumes: + - name: vault-secrets + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: postgres-vault volumeClaimTemplates: - metadata: name: postgres-data