ai-workspace-infra/gitops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(gitops): manage postgresql tls with cert-manager

Browse Source
This commit is contained in:
Haitao Pan 2026-04-04 10:33:41 +08:00
parent 2f511f5633
commit e37a029c67
15 changed files with 129 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
environments/clusters/prod/postgresql-tls-sync-kustomization.yaml → environments/clusters/prod/cert-manager-kustomization.yaml
View File

@ -1,7 +1,7 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1 apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization kind: Kustomization
metadata: metadata:
name: postgresql-tls-sync name: cert-manager-issuer
namespace: flux-system namespace: flux-system
spec: spec:
interval: 5m0s interval: 5m0s
@ -11,4 +11,4 @@ spec:
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: platform-config name: platform-config
path: ./services/platform/postgresql-tls-sync path: ./services/platform/cert-manager

6
environments/clusters/prod/kustomization.yaml
View File

@ -2,7 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- namespaces.yaml - namespaces.yaml
- postgresql-tls-sync-kustomization.yaml - cert-manager-kustomization.yaml
- postgresql-tls-platform-kustomization.yaml
- postgresql-tls-database-kustomization.yaml
- postgresql-prod-kustomization.yaml - postgresql-prod-kustomization.yaml
- stunnel-server-kustomization.yaml - stunnel-server-kustomization.yaml
- stunnel-client-prod-kustomization.yaml - stunnel-client-prod-kustomization.yaml
@ -10,4 +12,4 @@ resources:
- accounts-prod-kustomization.yaml - accounts-prod-kustomization.yaml
- observability-kustomization.yaml - observability-kustomization.yaml
# Sync marker for Flux reconciliation on postgresql-prod.svc.plus. # cert-manager owns postgresql-tls in each namespace; no cross-namespace sync job.

16
environments/clusters/prod/postgresql-tls-database-kustomization.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: postgresql-tls-database
namespace: flux-system
spec:
interval: 5m0s
prune: true
wait: true
timeout: 10m0s
sourceRef:
kind: GitRepository
name: platform-config
path: ./services/database/postgresql-tls
dependsOn:
- name: cert-manager-issuer

16
environments/clusters/prod/postgresql-tls-platform-kustomization.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: postgresql-tls-platform
namespace: flux-system
spec:
interval: 5m0s
prune: true
wait: true
timeout: 10m0s
sourceRef:
kind: GitRepository
name: platform-config
path: ./services/platform/postgresql-tls
dependsOn:
- name: cert-manager-issuer

2
environments/clusters/prod/stunnel-server-kustomization.yaml
View File

@ -13,5 +13,5 @@ spec:
name: platform-config name: platform-config
path: ./services/database/stunnel-server path: ./services/database/stunnel-server
dependsOn: dependsOn:
- name: postgresql-tls-sync - name: postgresql-tls-database
- name: postgresql-prod - name: postgresql-prod

14
services/database/postgresql-tls/certificate.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: postgresql-tls
namespace: database
spec:
secretName: postgresql-tls
commonName: postgresql-prod.svc.plus
dnsNames:
- postgresql-prod.svc.plus
issuerRef:
name: svc-plus-selfsigned
kind: ClusterIssuer
group: cert-manager.io

5
services/database/postgresql-tls/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: database
resources:
- certificate.yaml

8
services/database/postgresql/README.md
View File

@ -21,6 +21,8 @@ directory. Otherwise the ExternalSecrets controller will report
Use `scripts/seed-vault-postgresql.sh` from a trusted admin shell to write the Use `scripts/seed-vault-postgresql.sh` from a trusted admin shell to write the
expected Vault keys from local environment variables or existing K8s Secrets. expected Vault keys from local environment variables or existing K8s Secrets.
The ingress domain is `postgresql-prod.svc.plus` for this prod cluster. The shared TLS Secret for `postgresql-tls` is synchronized by the The ingress domain is `postgresql-prod.svc.plus` for this prod cluster. TLS for
`platform/postgresql-tls-sync` GitOps CronJob into `database/postgresql-tls`, which `postgresql-tls` is now owned directly by cert-manager in both the `platform`
`stunnel-server` consumes directly. Do not commit the secret values to Git. and `database` namespaces, so `stunnel-server` can mount the database-local
Secret without any cross-namespace sync job. Do not commit the secret values to
Git.

6
services/platform/cert-manager/clusterissuer.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: svc-plus-selfsigned
spec:
selfSigned: {}

2
services/platform/postgresql-tls-sync/kustomization.yaml → services/platform/cert-manager/kustomization.yaml
View File

@ -1,4 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- postgresql-tls-sync.yaml - clusterissuer.yaml

120
services/platform/postgresql-tls-sync/postgresql-tls-sync.yaml
View File

@ -1,120 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: postgresql-tls-placeholder
namespace: platform
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
selector:
app.kubernetes.io/name: postgresql-tls-placeholder
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: postgresql-tls
namespace: platform
annotations:
external-dns.alpha.kubernetes.io/hostname: postgresql-prod.svc.plus
spec:
ingressClassName: caddy
tls:
- hosts:
- postgresql-prod.svc.plus
secretName: postgresql-tls
rules:
- host: postgresql-prod.svc.plus
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: postgresql-tls-placeholder
port:
number: 80
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: postgresql-tls-sync
namespace: platform
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: postgresql-tls-sync-source
namespace: platform
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["postgresql-tls"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: postgresql-tls-sync-target
namespace: database
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["postgresql-tls"]
verbs: ["get", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: postgresql-tls-sync-source
namespace: platform
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: postgresql-tls-sync-source
subjects:
- kind: ServiceAccount
name: postgresql-tls-sync
namespace: platform
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: postgresql-tls-sync-target
namespace: database
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: postgresql-tls-sync-target
subjects:
- kind: ServiceAccount
name: postgresql-tls-sync
namespace: platform
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: postgresql-tls-sync
namespace: platform
spec:
schedule: "* * * * *"
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
spec:
serviceAccountName: postgresql-tls-sync
restartPolicy: OnFailure
containers:
- name: sync
image: bitnami/kubectl:latest
command:
- /bin/sh
- -ec
- |
kubectl -n platform get secret postgresql-tls -o yaml \
| sed '/^ resourceVersion:/d;/^ uid:/d;/^ creationTimestamp:/d;/^ managedFields:/d;/^ annotations:/d;/^ ownerReferences:/d;/^ namespace:/d;/^ selfLink:/d' \
| kubectl -n database apply -f -

14
services/platform/postgresql-tls/certificate.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: postgresql-tls
namespace: platform
spec:
secretName: postgresql-tls
commonName: postgresql-prod.svc.plus
dnsNames:
- postgresql-prod.svc.plus
issuerRef:
name: svc-plus-selfsigned
kind: ClusterIssuer
group: cert-manager.io

24
services/platform/postgresql-tls/ingress.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: postgresql-tls
namespace: platform
annotations:
external-dns.alpha.kubernetes.io/hostname: postgresql-prod.svc.plus
spec:
ingressClassName: caddy
tls:
- hosts:
- postgresql-prod.svc.plus
secretName: postgresql-tls
rules:
- host: postgresql-prod.svc.plus
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: postgresql-tls-placeholder
port:
number: 80

7
services/platform/postgresql-tls/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: platform
resources:
- certificate.yaml
- placeholder-service.yaml
- ingress.yaml

14
services/platform/postgresql-tls/placeholder-service.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: postgresql-tls-placeholder
namespace: platform
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
selector:
app.kubernetes.io/name: postgresql-tls-placeholder