fix(platform): render postgresql tls sync resources

2026-04-04 07:20:40 +08:00 · 2026-04-04 07:20:40 +08:00 · 8de8726693
commit 8de8726693
parent 094593efb9
3 changed files with 144 additions and 5 deletions
--- a/oci/charts/infra/platform/k3s/templates/postgresql-tls-ingress.yaml
+++ b/oci/charts/infra/platform/k3s/templates/postgresql-tls-ingress.yaml
@ -0,0 +1,39 @@
+{{- with .Values.components.postgresqlTlsIngress }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .serviceName }}
+  namespace: {{ .namespace }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: {{ .servicePort }}
+      targetPort: {{ .servicePort }}
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ .serviceName }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .name }}
+  namespace: {{ .namespace }}
+spec:
+  ingressClassName: {{ .className }}
+  tls:
+    - hosts:
+        - {{ .host }}
+      secretName: {{ .secretName }}
+  rules:
+    - host: {{ .host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .serviceName }}
+                port:
+                  number: {{ .servicePort }}
+{{- end }}
--- a/oci/charts/infra/platform/k3s/templates/shared-tls-secret-sync.yaml
+++ b/oci/charts/infra/platform/k3s/templates/shared-tls-secret-sync.yaml
@ -0,0 +1,83 @@
+{{- with .Values.components.sharedTlsSecretSync }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .name }}
+  namespace: {{ $.Values.namespaces.platform }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .name }}-source
+  namespace: {{ .sourceNamespace }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["{{ .sourceSecretName }}"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .name }}-target
+  namespace: {{ .targetNamespace }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["{{ .targetSecretName }}"]
+    verbs: ["get", "create", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .name }}-source
+  namespace: {{ .sourceNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .name }}-source
+subjects:
+  - kind: ServiceAccount
+    name: {{ .name }}
+    namespace: {{ $.Values.namespaces.platform }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .name }}-target
+  namespace: {{ .targetNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .name }}-target
+subjects:
+  - kind: ServiceAccount
+    name: {{ .name }}
+    namespace: {{ $.Values.namespaces.platform }}
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ .name }}
+  namespace: {{ $.Values.namespaces.platform }}
+spec:
+  schedule: {{ .refreshSchedule | quote }}
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: {{ .name }}
+          restartPolicy: OnFailure
+          containers:
+            - name: sync
+              image: bitnami/kubectl:latest
+              command:
+                - /bin/sh
+                - -ec
+                - |
+                  tmp=$(mktemp)
+                  kubectl -n {{ .sourceNamespace }} get secret {{ .sourceSecretName }} -o yaml \
+                    | sed '/^  resourceVersion:/d;/^  uid:/d;/^  creationTimestamp:/d;/^  managedFields:/d;/^  annotations:/d;/^  ownerReferences:/d;/^  namespace:/d;/^  selfLink:/d' \
+                    | kubectl -n {{ .targetNamespace }} apply -f -
+{{- end }}
--- a/oci/charts/infra/platform/k3s/values.yaml
+++ b/oci/charts/infra/platform/k3s/values.yaml
@ -88,7 +88,7 @@ components:
      refreshInterval: 1m
      secretStoreRef:
        kind: ClusterSecretStore
-        name: vault-platform
+        name: ""
      target:
        name: cloudflare-api-token
        creationPolicy: Owner
@ -113,8 +113,8 @@ components:
              name: cloudflare-api-token
              key: api-token
  externalSecretsStore:
-    enabled: true
-    name: vault-platform
+    enabled: false
+    name: ""
    vault:
      server: http://vault.extsvc.svc.cluster.local:8200
      path: secret
@ -126,8 +126,25 @@ components:
          serviceAccountRef:
            name: external-secrets
            namespace: platform
-  vault:
+  sharedTlsSecretSync:
    enabled: true
+    name: postgresql-vultr-tls-sync
+    sourceNamespace: platform
+    sourceSecretName: postgresql-vultr-tls
+    targetNamespace: database
+    targetSecretName: postgresql-vultr-tls
+    refreshSchedule: "*/5 * * * *"
+  postgresqlTlsIngress:
+    enabled: true
+    name: postgresql-vultr-tls
+    namespace: platform
+    className: caddy
+    serviceName: postgresql-vultr-tls-placeholder
+    servicePort: 80
+    host: postgresql-vultr.svc.plus
+    secretName: postgresql-vultr-tls
+  vault:
+    enabled: false
    releaseName: vault
    sourceRef:
      kind: HelmRepository
@ -175,7 +192,7 @@ apisixIngress:
      servicePort: 80

 vaultBootstrap:
-  enabled: true
+  enabled: false
  image: hashicorp/vault:1.16.3
  serviceAccountName: vault-bootstrap
  cloudflareSecretName: vault-bootstrap