From 29da0474417090a61a01b225cff443c8dd2cf30e Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Wed, 13 May 2026 12:17:18 -0700 Subject: [PATCH] C2(migrate-immich-to-ringtail): impl add immich-pg cluster + app on ringtail Mirror of argocd/manifests/databases/immich-pg.yaml on ringtail: - Same VectorChord image (PG17 + VectorChord 0.5.0) - Same extensions (vector, vchord, cube, earthdistance) via postInitSQL - Same managed borgmatic role with pg_read_all_data - 10 GiB local-path storage (matches minikube source) - shared_preload_libraries: vchord.so - Empty initdb today; bootstrap block will be rewritten when immich-pg-data-migration picks its import method. ArgoCD app databases-ringtail targets ringtail/databases. ExternalSecret reuses the onepassword-blumeops ClusterSecretStore that already exists on ringtail via external-secrets-ringtail. Co-Authored-By: Claude Opus 4.7 (1M context) --- argocd/apps/databases-ringtail.yaml | 26 +++++++ .../external-secret-immich-borgmatic.yaml | 32 +++++++++ .../databases-ringtail/immich-pg.yaml | 68 +++++++++++++++++++ .../databases-ringtail/kustomization.yaml | 8 +++ 4 files changed, 134 insertions(+) create mode 100644 argocd/apps/databases-ringtail.yaml create mode 100644 argocd/manifests/databases-ringtail/external-secret-immich-borgmatic.yaml create mode 100644 argocd/manifests/databases-ringtail/immich-pg.yaml create mode 100644 argocd/manifests/databases-ringtail/kustomization.yaml diff --git a/argocd/apps/databases-ringtail.yaml b/argocd/apps/databases-ringtail.yaml new file mode 100644 index 0000000..00de4e3 --- /dev/null +++ b/argocd/apps/databases-ringtail.yaml @@ -0,0 +1,26 @@ +# Databases on ringtail k3s. +# +# Today: only immich-pg (CNPG Cluster) + its borgmatic ExternalSecret. +# More databases may move here as the indri-k8s decommission proceeds. +# +# Prerequisites: +# - cloudnative-pg-ringtail (operator must exist before the Cluster CR) +# - external-secrets-ringtail + 1password-connect-ringtail (for the +# immich-pg-borgmatic ExternalSecret to sync) +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: databases-ringtail + namespace: argocd +spec: + project: default + source: + repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git + targetRevision: main + path: argocd/manifests/databases-ringtail + destination: + server: https://ringtail.tail8d86e.ts.net:6443 + namespace: databases + syncPolicy: + syncOptions: + - CreateNamespace=true diff --git a/argocd/manifests/databases-ringtail/external-secret-immich-borgmatic.yaml b/argocd/manifests/databases-ringtail/external-secret-immich-borgmatic.yaml new file mode 100644 index 0000000..3d1fc14 --- /dev/null +++ b/argocd/manifests/databases-ringtail/external-secret-immich-borgmatic.yaml @@ -0,0 +1,32 @@ +# ExternalSecret for borgmatic backup user password on immich-pg cluster +# (ringtail k3s). +# +# Mirror of argocd/manifests/databases/external-secret-immich-borgmatic.yaml. +# The onepassword-blumeops ClusterSecretStore exists on ringtail via the +# external-secrets-ringtail app. +# +# 1Password item: "borgmatic" in blumeops vault +# Field: "db-password" +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: immich-pg-borgmatic + namespace: databases +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-blumeops + target: + name: immich-pg-borgmatic + creationPolicy: Owner + template: + type: kubernetes.io/basic-auth + data: + username: borgmatic + password: "{{ .password }}" + data: + - secretKey: password + remoteRef: + key: borgmatic + property: db-password diff --git a/argocd/manifests/databases-ringtail/immich-pg.yaml b/argocd/manifests/databases-ringtail/immich-pg.yaml new file mode 100644 index 0000000..4650109 --- /dev/null +++ b/argocd/manifests/databases-ringtail/immich-pg.yaml @@ -0,0 +1,68 @@ +# PostgreSQL Cluster for Immich on ringtail k3s. +# +# Mirror of argocd/manifests/databases/immich-pg.yaml (minikube), with +# ringtail-specific tweaks (storageClass: local-path). The bootstrap +# section may be rewritten when [[immich-pg-data-migration]] picks an +# import method — both pg_dump/restore and CNPG externalCluster +# basebackup require touching this block. +# +# Uses VectorChord (successor to pgvecto.rs) for AI-powered vector +# search. See: https://github.com/immich-app/immich/discussions/9060 +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: immich-pg + namespace: databases +spec: + instances: 1 + # VectorChord image for PostgreSQL 17 with VectorChord 0.5.0 + imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17-0.5.0 + + storage: + size: 10Gi + storageClass: local-path + + # Bootstrap creates initial database and owner. + # Empty initdb today; replaced by the chosen data-migration method + # in immich-pg-data-migration. + bootstrap: + initdb: + database: immich + owner: immich + postInitSQL: + - CREATE EXTENSION IF NOT EXISTS vector; + - CREATE EXTENSION IF NOT EXISTS vchord CASCADE; + - CREATE EXTENSION IF NOT EXISTS cube CASCADE; + - CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE; + + # Managed roles + managed: + roles: + - name: borgmatic + login: true + connectionLimit: -1 + ensure: present + inherit: true + inRoles: + - pg_read_all_data + passwordSecret: + name: immich-pg-borgmatic + + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "500m" + + postgresql: + shared_preload_libraries: + - "vchord.so" + parameters: + max_connections: "50" + shared_buffers: "128MB" + password_encryption: "scram-sha-256" + pg_hba: + - host all all 0.0.0.0/0 scram-sha-256 + - host all all ::/0 scram-sha-256 diff --git a/argocd/manifests/databases-ringtail/kustomization.yaml b/argocd/manifests/databases-ringtail/kustomization.yaml new file mode 100644 index 0000000..5c44bc2 --- /dev/null +++ b/argocd/manifests/databases-ringtail/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: databases + +resources: + - immich-pg.yaml + - external-secret-immich-borgmatic.yaml