From 0c6f0a13c3a2977d6eec64268cadb0f923a827e7 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Mon, 19 Jan 2026 18:02:42 -0800
Subject: [PATCH] Add CNPG default values to prevent ArgoCD drift

CloudNativePG operator fills in connectionLimit, ensure, and inherit
defaults on managed roles. Adding these explicitly keeps ArgoCD in sync.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 argocd/manifests/databases/blumeops-pg.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/argocd/manifests/databases/blumeops-pg.yaml b/argocd/manifests/databases/blumeops-pg.yaml
index 3834c43..e8dfd49 100644
--- a/argocd/manifests/databases/blumeops-pg.yaml
+++ b/argocd/manifests/databases/blumeops-pg.yaml
@@ -19,6 +19,7 @@ spec:
       owner: miniflux
 
   # Managed roles - additional users beyond the bootstrap owner
+  # Note: connectionLimit, ensure, inherit are CNPG defaults added to prevent ArgoCD drift
   managed:
     roles:
       # eblume superuser for admin access (matches current brew pg setup)
@@ -27,12 +28,17 @@ spec:
         superuser: true
         createdb: true
         createrole: true
+        connectionLimit: -1
+        ensure: present
+        inherit: true
         passwordSecret:
           name: blumeops-pg-eblume
       # borgmatic read-only user for backups
       - name: borgmatic
         login: true
-        superuser: false
+        connectionLimit: -1
+        ensure: present
+        inherit: true
         inRoles:
           - pg_read_all_data
         passwordSecret: