C2(migrate-immich-to-ringtail): impl add immich-pg cluster + app on ringtail

Mirror of argocd/manifests/databases/immich-pg.yaml on ringtail: - Same VectorChord image (PG17 + VectorChord 0.5.0) - Same extensions (vector, vchord, cube, earthdistance) via postInitSQL - Same managed borgmatic role with pg_read_all_data - 10 GiB local-path storage (matches minikube source) - shared_preload_libraries: vchord.so - Empty initdb today; bootstrap block will be rewritten when immich-pg-data-migration picks its import method. ArgoCD app databases-ringtail targets ringtail/databases. ExternalSecret reuses the onepassword-blumeops ClusterSecretStore that already exists on ringtail via external-secrets-ringtail. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 12:17:18 -07:00 · 2026-05-13 12:17:18 -07:00 · 29da047441
commit 29da047441
parent 33a5a05c9c
4 changed files with 134 additions and 0 deletions
--- a/argocd/apps/databases-ringtail.yaml
+++ b/argocd/apps/databases-ringtail.yaml
@ -0,0 +1,26 @@
+# Databases on ringtail k3s.
+#
+# Today: only immich-pg (CNPG Cluster) + its borgmatic ExternalSecret.
+# More databases may move here as the indri-k8s decommission proceeds.
+#
+# Prerequisites:
+# - cloudnative-pg-ringtail (operator must exist before the Cluster CR)
+# - external-secrets-ringtail + 1password-connect-ringtail (for the
+#   immich-pg-borgmatic ExternalSecret to sync)
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: databases-ringtail
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
+    targetRevision: main
+    path: argocd/manifests/databases-ringtail
+  destination:
+    server: https://ringtail.tail8d86e.ts.net:6443
+    namespace: databases
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/manifests/databases-ringtail/external-secret-immich-borgmatic.yaml
+++ b/argocd/manifests/databases-ringtail/external-secret-immich-borgmatic.yaml
@ -0,0 +1,32 @@
+# ExternalSecret for borgmatic backup user password on immich-pg cluster
+# (ringtail k3s).
+#
+# Mirror of argocd/manifests/databases/external-secret-immich-borgmatic.yaml.
+# The onepassword-blumeops ClusterSecretStore exists on ringtail via the
+# external-secrets-ringtail app.
+#
+# 1Password item: "borgmatic" in blumeops vault
+# Field: "db-password"
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: immich-pg-borgmatic
+  namespace: databases
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-blumeops
+  target:
+    name: immich-pg-borgmatic
+    creationPolicy: Owner
+    template:
+      type: kubernetes.io/basic-auth
+      data:
+        username: borgmatic
+        password: "{{ .password }}"
+  data:
+    - secretKey: password
+      remoteRef:
+        key: borgmatic
+        property: db-password
--- a/argocd/manifests/databases-ringtail/immich-pg.yaml
+++ b/argocd/manifests/databases-ringtail/immich-pg.yaml
@ -0,0 +1,68 @@
+# PostgreSQL Cluster for Immich on ringtail k3s.
+#
+# Mirror of argocd/manifests/databases/immich-pg.yaml (minikube), with
+# ringtail-specific tweaks (storageClass: local-path). The bootstrap
+# section may be rewritten when [[immich-pg-data-migration]] picks an
+# import method — both pg_dump/restore and CNPG externalCluster
+# basebackup require touching this block.
+#
+# Uses VectorChord (successor to pgvecto.rs) for AI-powered vector
+# search. See: https://github.com/immich-app/immich/discussions/9060
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: immich-pg
+  namespace: databases
+spec:
+  instances: 1
+  # VectorChord image for PostgreSQL 17 with VectorChord 0.5.0
+  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17-0.5.0
+
+  storage:
+    size: 10Gi
+    storageClass: local-path
+
+  # Bootstrap creates initial database and owner.
+  # Empty initdb today; replaced by the chosen data-migration method
+  # in immich-pg-data-migration.
+  bootstrap:
+    initdb:
+      database: immich
+      owner: immich
+      postInitSQL:
+        - CREATE EXTENSION IF NOT EXISTS vector;
+        - CREATE EXTENSION IF NOT EXISTS vchord CASCADE;
+        - CREATE EXTENSION IF NOT EXISTS cube CASCADE;
+        - CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;
+
+  # Managed roles
+  managed:
+    roles:
+      - name: borgmatic
+        login: true
+        connectionLimit: -1
+        ensure: present
+        inherit: true
+        inRoles:
+          - pg_read_all_data
+        passwordSecret:
+          name: immich-pg-borgmatic
+
+  resources:
+    requests:
+      memory: "256Mi"
+      cpu: "100m"
+    limits:
+      memory: "1Gi"
+      cpu: "500m"
+
+  postgresql:
+    shared_preload_libraries:
+      - "vchord.so"
+    parameters:
+      max_connections: "50"
+      shared_buffers: "128MB"
+      password_encryption: "scram-sha-256"
+    pg_hba:
+      - host all all 0.0.0.0/0 scram-sha-256
+      - host all all ::/0 scram-sha-256
--- a/argocd/manifests/databases-ringtail/kustomization.yaml
+++ b/argocd/manifests/databases-ringtail/kustomization.yaml
@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: databases
+
+resources:
+  - immich-pg.yaml
+  - external-secret-immich-borgmatic.yaml