From 0bdfac9099b3ef73cabb5c9388fb855383484133 Mon Sep 17 00:00:00 2001
From: Haitao Pan <manbuzhe2009@qq.com>
Date: Sat, 4 Apr 2026 08:25:52 +0800
Subject: [PATCH] feat(gitops): restore postgresql tls sync in platform

---
 environments/clusters/prod/kustomization.yaml |   3 +-
 .../postgresql-tls-sync-kustomization.yaml    |  14 ++
 .../prod/stunnel-server-kustomization.yaml    |   1 +
 services/database/postgresql/README.md        |   4 +-
 .../postgresql-tls-sync/kustomization.yaml    |   4 +
 .../postgresql-tls-sync.yaml                  | 120 ++++++++++++++++++
 6 files changed, 143 insertions(+), 3 deletions(-)
 create mode 100644 environments/clusters/prod/postgresql-tls-sync-kustomization.yaml
 create mode 100644 services/platform/postgresql-tls-sync/kustomization.yaml
 create mode 100644 services/platform/postgresql-tls-sync/postgresql-tls-sync.yaml

diff --git a/environments/clusters/prod/kustomization.yaml b/environments/clusters/prod/kustomization.yaml
index 5e2a3fc..efd66c3 100644
--- a/environments/clusters/prod/kustomization.yaml
+++ b/environments/clusters/prod/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespaces.yaml
+  - postgresql-tls-sync-kustomization.yaml
   - postgresql-prod-kustomization.yaml
   - stunnel-server-kustomization.yaml
   - stunnel-client-prod-kustomization.yaml
@@ -9,4 +10,4 @@ resources:
   - accounts-prod-kustomization.yaml
   - observability-kustomization.yaml
 
-# Sync marker for Flux reconciliation on jp-k3s-vultr.svc.plus.
+# Sync marker for Flux reconciliation on postgresql-prod.svc.plus.
diff --git a/environments/clusters/prod/postgresql-tls-sync-kustomization.yaml b/environments/clusters/prod/postgresql-tls-sync-kustomization.yaml
new file mode 100644
index 0000000..25cb701
--- /dev/null
+++ b/environments/clusters/prod/postgresql-tls-sync-kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: postgresql-tls-sync
+  namespace: flux-system
+spec:
+  interval: 5m0s
+  prune: true
+  wait: true
+  timeout: 10m0s
+  sourceRef:
+    kind: GitRepository
+    name: platform-config
+  path: ./services/platform/postgresql-tls-sync
diff --git a/environments/clusters/prod/stunnel-server-kustomization.yaml b/environments/clusters/prod/stunnel-server-kustomization.yaml
index 7a58659..2361080 100644
--- a/environments/clusters/prod/stunnel-server-kustomization.yaml
+++ b/environments/clusters/prod/stunnel-server-kustomization.yaml
@@ -13,4 +13,5 @@ spec:
     name: platform-config
   path: ./services/database/stunnel-server
   dependsOn:
+    - name: postgresql-tls-sync
     - name: postgresql-prod
diff --git a/services/database/postgresql/README.md b/services/database/postgresql/README.md
index 3e7acef..e996c0b 100644
--- a/services/database/postgresql/README.md
+++ b/services/database/postgresql/README.md
@@ -21,6 +21,6 @@ directory. Otherwise the ExternalSecrets controller will report
 
 Use `scripts/seed-vault-postgresql.sh` from a trusted admin shell to write the
 expected Vault keys from local environment variables or existing K8s Secrets.
-The ingress domain is `postgresql-<node-or-cluster>.svc.plus`. The shared TLS Secret for `postgresql-tls` is synchronized by the
-`k3s-platform` Helm chart into `database/postgresql-tls`, which
+The ingress domain is `postgresql-prod.svc.plus` for this prod cluster. The shared TLS Secret for `postgresql-tls` is synchronized by the
+`platform/postgresql-tls-sync` GitOps CronJob into `database/postgresql-tls`, which
 `stunnel-server` consumes directly. Do not commit the secret values to Git.
diff --git a/services/platform/postgresql-tls-sync/kustomization.yaml b/services/platform/postgresql-tls-sync/kustomization.yaml
new file mode 100644
index 0000000..78b4e11
--- /dev/null
+++ b/services/platform/postgresql-tls-sync/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - postgresql-tls-sync.yaml
diff --git a/services/platform/postgresql-tls-sync/postgresql-tls-sync.yaml b/services/platform/postgresql-tls-sync/postgresql-tls-sync.yaml
new file mode 100644
index 0000000..c1018c3
--- /dev/null
+++ b/services/platform/postgresql-tls-sync/postgresql-tls-sync.yaml
@@ -0,0 +1,120 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgresql-tls-placeholder
+  namespace: platform
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 80
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: postgresql-tls-placeholder
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: postgresql-tls
+  namespace: platform
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: postgresql-prod.svc.plus
+spec:
+  ingressClassName: caddy
+  tls:
+    - hosts:
+        - postgresql-prod.svc.plus
+      secretName: postgresql-tls
+  rules:
+    - host: postgresql-prod.svc.plus
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: postgresql-tls-placeholder
+                port:
+                  number: 80
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql-tls-sync
+  namespace: platform
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: postgresql-tls-sync-source
+  namespace: platform
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["postgresql-tls"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: postgresql-tls-sync-target
+  namespace: database
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["postgresql-tls"]
+    verbs: ["get", "create", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: postgresql-tls-sync-source
+  namespace: platform
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: postgresql-tls-sync-source
+subjects:
+  - kind: ServiceAccount
+    name: postgresql-tls-sync
+    namespace: platform
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: postgresql-tls-sync-target
+  namespace: database
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: postgresql-tls-sync-target
+subjects:
+  - kind: ServiceAccount
+    name: postgresql-tls-sync
+    namespace: platform
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: postgresql-tls-sync
+  namespace: platform
+spec:
+  schedule: "*/5 * * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: postgresql-tls-sync
+          restartPolicy: OnFailure
+          containers:
+            - name: sync
+              image: bitnami/kubectl:latest
+              command:
+                - /bin/sh
+                - -ec
+                - |
+                  kubectl -n platform get secret postgresql-tls -o yaml \
+                    | sed '/^  resourceVersion:/d;/^  uid:/d;/^  creationTimestamp:/d;/^  managedFields:/d;/^  annotations:/d;/^  ownerReferences:/d;/^  namespace:/d;/^  selfLink:/d' \
+                    | kubectl -n database apply -f -