ai-workspace-infra/gitops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(gitops): restore postgresql tls sync in platform

Browse Source
This commit is contained in:
Haitao Pan 2026-04-04 08:25:52 +08:00
parent d475d0aba6
commit 0bdfac9099
6 changed files with 143 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
environments/clusters/prod/kustomization.yaml
View File

@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- namespaces.yaml - namespaces.yaml
- postgresql-tls-sync-kustomization.yaml
- postgresql-prod-kustomization.yaml - postgresql-prod-kustomization.yaml
- stunnel-server-kustomization.yaml - stunnel-server-kustomization.yaml
- stunnel-client-prod-kustomization.yaml - stunnel-client-prod-kustomization.yaml
@ -9,4 +10,4 @@ resources:
- accounts-prod-kustomization.yaml - accounts-prod-kustomization.yaml
- observability-kustomization.yaml - observability-kustomization.yaml
# Sync marker for Flux reconciliation on jp-k3s-vultr.svc.plus. # Sync marker for Flux reconciliation on postgresql-prod.svc.plus.

14
environments/clusters/prod/postgresql-tls-sync-kustomization.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: postgresql-tls-sync
namespace: flux-system
spec:
interval: 5m0s
prune: true
wait: true
timeout: 10m0s
sourceRef:
kind: GitRepository
name: platform-config
path: ./services/platform/postgresql-tls-sync

1
environments/clusters/prod/stunnel-server-kustomization.yaml
View File

@ -13,4 +13,5 @@ spec:
name: platform-config name: platform-config
path: ./services/database/stunnel-server path: ./services/database/stunnel-server
dependsOn: dependsOn:
- name: postgresql-tls-sync
- name: postgresql-prod - name: postgresql-prod

4
services/database/postgresql/README.md
View File

@ -21,6 +21,6 @@ directory. Otherwise the ExternalSecrets controller will report
Use `scripts/seed-vault-postgresql.sh` from a trusted admin shell to write the Use `scripts/seed-vault-postgresql.sh` from a trusted admin shell to write the
expected Vault keys from local environment variables or existing K8s Secrets. expected Vault keys from local environment variables or existing K8s Secrets.
The ingress domain is `postgresql-<node-or-cluster>.svc.plus`. The shared TLS Secret for `postgresql-tls` is synchronized by the The ingress domain is `postgresql-prod.svc.plus` for this prod cluster. The shared TLS Secret for `postgresql-tls` is synchronized by the
`k3s-platform` Helm chart into `database/postgresql-tls`, which `platform/postgresql-tls-sync` GitOps CronJob into `database/postgresql-tls`, which
`stunnel-server` consumes directly. Do not commit the secret values to Git. `stunnel-server` consumes directly. Do not commit the secret values to Git.

4
services/platform/postgresql-tls-sync/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- postgresql-tls-sync.yaml

120
services/platform/postgresql-tls-sync/postgresql-tls-sync.yaml Normal file
View File

@ -0,0 +1,120 @@
apiVersion: v1
kind: Service
metadata:
name: postgresql-tls-placeholder
namespace: platform
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
selector:
app.kubernetes.io/name: postgresql-tls-placeholder
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: postgresql-tls
namespace: platform
annotations:
external-dns.alpha.kubernetes.io/hostname: postgresql-prod.svc.plus
spec:
ingressClassName: caddy
tls:
- hosts:
- postgresql-prod.svc.plus
secretName: postgresql-tls
rules:
- host: postgresql-prod.svc.plus
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: postgresql-tls-placeholder
port:
number: 80
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: postgresql-tls-sync
namespace: platform
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: postgresql-tls-sync-source
namespace: platform
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["postgresql-tls"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: postgresql-tls-sync-target
namespace: database
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["postgresql-tls"]
verbs: ["get", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: postgresql-tls-sync-source
namespace: platform
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: postgresql-tls-sync-source
subjects:
- kind: ServiceAccount
name: postgresql-tls-sync
namespace: platform
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: postgresql-tls-sync-target
namespace: database
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: postgresql-tls-sync-target
subjects:
- kind: ServiceAccount
name: postgresql-tls-sync
namespace: platform
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: postgresql-tls-sync
namespace: platform
spec:
schedule: "*/5 * * * *"
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
spec:
serviceAccountName: postgresql-tls-sync
restartPolicy: OnFailure
containers:
- name: sync
image: bitnami/kubectl:latest
command:
- /bin/sh
- -ec
- |
kubectl -n platform get secret postgresql-tls -o yaml \
| sed '/^ resourceVersion:/d;/^ uid:/d;/^ creationTimestamp:/d;/^ managedFields:/d;/^ annotations:/d;/^ ownerReferences:/d;/^ namespace:/d;/^ selfLink:/d' \
| kubectl -n database apply -f -