bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

postgres: add flux + vault csi

Browse Source
This commit is contained in:
Brad Stein 2026-01-13 12:35:59 -03:00
parent 3fc9f7bbdb
commit 5aeec67bfb
6 changed files with 61 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
clusters/atlas/flux-system/applications/kustomization.yaml
View File

@ -25,5 +25,6 @@ resources:
- ai-llm/kustomization.yaml - ai-llm/kustomization.yaml
- nextcloud/kustomization.yaml - nextcloud/kustomization.yaml
- nextcloud-mail-sync/kustomization.yaml - nextcloud-mail-sync/kustomization.yaml
- postgres/kustomization.yaml
- outline/kustomization.yaml - outline/kustomization.yaml
- planka/kustomization.yaml - planka/kustomization.yaml

24
clusters/atlas/flux-system/applications/postgres/kustomization.yaml Normal file
View File

@ -0,0 +1,24 @@
# clusters/atlas/flux-system/applications/postgres/kustomization.yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: postgres
namespace: flux-system
spec:
interval: 10m
path: ./services/postgres
prune: true
force: true
sourceRef:
kind: GitRepository
name: flux-system
targetNamespace: postgres
dependsOn:
- name: vault
- name: vault-csi
healthChecks:
- apiVersion: apps/v1
kind: StatefulSet
name: postgres
namespace: postgres
wait: true

2
services/postgres/kustomization.yaml
View File

@ -4,5 +4,7 @@ kind: Kustomization
namespace: postgres namespace: postgres
resources: resources:
- namespace.yaml - namespace.yaml
- serviceaccount.yaml
- secretproviderclass.yaml
- service.yaml - service.yaml
- statefulset.yaml - statefulset.yaml

15
services/postgres/secretproviderclass.yaml Normal file
View File

@ -0,0 +1,15 @@
# services/postgres/secretproviderclass.yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: postgres-vault
namespace: postgres
spec:
provider: vault
parameters:
vaultAddress: "http://vault.vault.svc.cluster.local:8200"
roleName: "postgres"
objects: |
- objectName: "postgres_password"
secretPath: "kv/data/postgres"
secretKey: "POSTGRES_PASSWORD"

6
services/postgres/serviceaccount.yaml Normal file
View File

@ -0,0 +1,6 @@
# services/postgres/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: postgres-vault
namespace: postgres

18
services/postgres/statefulset.yaml
View File

@ -22,6 +22,7 @@ spec:
labels: labels:
app: postgres app: postgres
spec: spec:
serviceAccountName: postgres-vault
nodeSelector: nodeSelector:
node-role.kubernetes.io/worker: "true" node-role.kubernetes.io/worker: "true"
affinity: affinity:
@ -47,16 +48,23 @@ spec:
value: /var/lib/postgresql/data/pgdata value: /var/lib/postgresql/data/pgdata
- name: POSTGRES_USER - name: POSTGRES_USER
value: postgres value: postgres
- name: POSTGRES_PASSWORD - name: POSTGRES_PASSWORD_FILE
valueFrom: value: /mnt/vault/postgres_password
secretKeyRef:
name: postgres-auth
key: POSTGRES_PASSWORD
- name: POSTGRES_DB - name: POSTGRES_DB
value: postgres value: postgres
volumeMounts: volumeMounts:
- name: postgres-data - name: postgres-data
mountPath: /var/lib/postgresql/data mountPath: /var/lib/postgresql/data
- name: vault-secrets
mountPath: /mnt/vault
readOnly: true
volumes:
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: postgres-vault
volumeClaimTemplates: volumeClaimTemplates:
- metadata: - metadata:
name: postgres-data name: postgres-data