# PostgreSQL GitOps Bootstrap

This stack uses ExternalSecrets to materialize runtime credentials from Vault.
The GitOps manifests intentionally do not store secret values.

## Vault paths expected by this stack

- `postgresql.svc.plus`
  - `POSTGRES_USER`
  - `POSTGRES_PASSWORD`
  - `GHCR_USERNAME`
  - `GHCR_TOKEN`
## Bootstrap rule

Before or during initial reconciliation, the Vault key `postgresql.svc.plus`
must be seeded with the runtime credentials expected by the manifests in this
directory. Otherwise the ExternalSecrets controller will report
`Secret does not exist`.

## Helper

Use `scripts/seed-vault-postgresql.sh` from a trusted admin shell to write the
expected Vault keys from local environment variables or existing K8s Secrets.
The ingress domain is `postgresql-prod.svc.plus` for this prod cluster. TLS for
`postgresql-tls` is now owned directly by cert-manager in both the `platform`
and `database` namespaces, so `stunnel-server` can mount the database-local
Secret without any cross-namespace sync job. Do not commit the secret values to
Git.