ai-workspace-infra/gitops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1c89ab5d98
gitops/services/database/postgresql
History
Haitao Pan 1c89ab5d98 fix(gitops): point postgresql charts to svc-design ghcr
2026-04-03 18:49:56 +08:00
..
helmrelease.yaml refactor(gitops): consolidate database services and prune legacy assets 2026-04-03 15:52:23 +08:00
initdb-configmap.yaml refactor(gitops): consolidate database services and prune legacy assets 2026-04-03 15:52:23 +08:00
kustomization.yaml refactor(gitops): consolidate database services and prune legacy assets 2026-04-03 15:52:23 +08:00
oci-repository.yaml fix(gitops): point postgresql charts to svc-design ghcr 2026-04-03 18:49:56 +08:00
README.md refactor(gitops): consolidate database services and prune legacy assets 2026-04-03 15:52:23 +08:00
stunnel-client-configmap.yaml refactor(gitops): consolidate database services and prune legacy assets 2026-04-03 15:52:23 +08:00
stunnel-client-deployment.yaml refactor(gitops): consolidate database services and prune legacy assets 2026-04-03 15:52:23 +08:00
stunnel-client-service.yaml refactor(gitops): consolidate database services and prune legacy assets 2026-04-03 15:52:23 +08:00
stunnel-server-configmap.yaml refactor(gitops): consolidate database services and prune legacy assets 2026-04-03 15:52:23 +08:00
stunnel-server-deployment.yaml refactor(gitops): consolidate database services and prune legacy assets 2026-04-03 15:52:23 +08:00
stunnel-server-service.yaml refactor(gitops): consolidate database services and prune legacy assets 2026-04-03 15:52:23 +08:00
values.yaml refactor(gitops): consolidate database services and prune legacy assets 2026-04-03 15:52:23 +08:00

README.md

PostgreSQL GitOps Bootstrap

This stack uses ExternalSecrets to materialize runtime credentials from Vault. The GitOps manifests intentionally do not store secret values.

Vault paths expected by this stack

  • postgresql.svc.plus
    • POSTGRES_USER
    • POSTGRES_PASSWORD
    • GHCR_USERNAME
    • GHCR_TOKEN

Bootstrap rule

Before or during initial reconciliation, the Vault key postgresql.svc.plus must be seeded with the runtime credentials expected by the manifests in this directory. Otherwise the ExternalSecrets controller will report Secret does not exist.

Helper

Use scripts/seed-vault-postgresql.sh from a trusted admin shell to write the expected Vault keys from local environment variables or existing K8s Secrets. The shared TLS Secret for postgresql-vultr.svc.plus is synchronized by the k3s-platform Helm chart into database/postgresql-vultr-tls, which stunnel-server consumes directly. Do not commit the secret values to Git.