feat(gitops): restore postgresql tls sync in platform

2026-04-04 08:25:52 +08:00 · 2026-04-04 08:25:52 +08:00 · 0bdfac9099
commit 0bdfac9099
parent d475d0aba6
6 changed files with 143 additions and 3 deletions
--- a/environments/clusters/prod/kustomization.yaml
+++ b/environments/clusters/prod/kustomization.yaml
@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespaces.yaml
+  - postgresql-tls-sync-kustomization.yaml
  - postgresql-prod-kustomization.yaml
  - stunnel-server-kustomization.yaml
  - stunnel-client-prod-kustomization.yaml
@ -9,4 +10,4 @@ resources:
  - accounts-prod-kustomization.yaml
  - observability-kustomization.yaml

-# Sync marker for Flux reconciliation on jp-k3s-vultr.svc.plus.
+# Sync marker for Flux reconciliation on postgresql-prod.svc.plus.
--- a/environments/clusters/prod/postgresql-tls-sync-kustomization.yaml
+++ b/environments/clusters/prod/postgresql-tls-sync-kustomization.yaml
@ -0,0 +1,14 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: postgresql-tls-sync
+  namespace: flux-system
+spec:
+  interval: 5m0s
+  prune: true
+  wait: true
+  timeout: 10m0s
+  sourceRef:
+    kind: GitRepository
+    name: platform-config
+  path: ./services/platform/postgresql-tls-sync
--- a/environments/clusters/prod/stunnel-server-kustomization.yaml
+++ b/environments/clusters/prod/stunnel-server-kustomization.yaml
@ -13,4 +13,5 @@ spec:
    name: platform-config
  path: ./services/database/stunnel-server
  dependsOn:
+    - name: postgresql-tls-sync
    - name: postgresql-prod
--- a/services/database/postgresql/README.md
+++ b/services/database/postgresql/README.md
@ -21,6 +21,6 @@ directory. Otherwise the ExternalSecrets controller will report

 Use `scripts/seed-vault-postgresql.sh` from a trusted admin shell to write the
 expected Vault keys from local environment variables or existing K8s Secrets.
-The ingress domain is `postgresql-<node-or-cluster>.svc.plus`. The shared TLS Secret for `postgresql-tls` is synchronized by the
-`k3s-platform` Helm chart into `database/postgresql-tls`, which
+The ingress domain is `postgresql-prod.svc.plus` for this prod cluster. The shared TLS Secret for `postgresql-tls` is synchronized by the
+`platform/postgresql-tls-sync` GitOps CronJob into `database/postgresql-tls`, which
 `stunnel-server` consumes directly. Do not commit the secret values to Git.
--- a/services/platform/postgresql-tls-sync/kustomization.yaml
+++ b/services/platform/postgresql-tls-sync/kustomization.yaml
@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - postgresql-tls-sync.yaml
--- a/services/platform/postgresql-tls-sync/postgresql-tls-sync.yaml
+++ b/services/platform/postgresql-tls-sync/postgresql-tls-sync.yaml
@ -0,0 +1,120 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgresql-tls-placeholder
+  namespace: platform
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 80
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: postgresql-tls-placeholder
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: postgresql-tls
+  namespace: platform
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: postgresql-prod.svc.plus
+spec:
+  ingressClassName: caddy
+  tls:
+    - hosts:
+        - postgresql-prod.svc.plus
+      secretName: postgresql-tls
+  rules:
+    - host: postgresql-prod.svc.plus
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: postgresql-tls-placeholder
+                port:
+                  number: 80
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql-tls-sync
+  namespace: platform
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: postgresql-tls-sync-source
+  namespace: platform
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["postgresql-tls"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: postgresql-tls-sync-target
+  namespace: database
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["postgresql-tls"]
+    verbs: ["get", "create", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: postgresql-tls-sync-source
+  namespace: platform
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: postgresql-tls-sync-source
+subjects:
+  - kind: ServiceAccount
+    name: postgresql-tls-sync
+    namespace: platform
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: postgresql-tls-sync-target
+  namespace: database
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: postgresql-tls-sync-target
+subjects:
+  - kind: ServiceAccount
+    name: postgresql-tls-sync
+    namespace: platform
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: postgresql-tls-sync
+  namespace: platform
+spec:
+  schedule: "*/5 * * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: postgresql-tls-sync
+          restartPolicy: OnFailure
+          containers:
+            - name: sync
+              image: bitnami/kubectl:latest
+              command:
+                - /bin/sh
+                - -ec
+                - |
+                  kubectl -n platform get secret postgresql-tls -o yaml \
+                    | sed '/^  resourceVersion:/d;/^  uid:/d;/^  creationTimestamp:/d;/^  managedFields:/d;/^  annotations:/d;/^  ownerReferences:/d;/^  namespace:/d;/^  selfLink:/d' \
+                    | kubectl -n database apply -f -